**Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+**Value name:** Cookies
+**Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md
new file mode 100644
index 0000000000..e36295abe0
--- /dev/null
+++ b/browsers/edge/includes/configure-do-not-track-include.md
@@ -0,0 +1,34 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured (Does not send tracking information)*
+
+[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |Blank |Blank |Does not send tracking information, but allow users to choose whether to send tracking information to sites they visit. | |
+|Disabled |1 |1 |Never sends tracking information. | |
+|Enabled
**(default)** |1 |1 |Sends tracking information, including to the third parties whose content may be hosted on the sites visited. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Do Not Track
+- **GP name:** AllowDoNotTrack
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+- **Value name:** DoNotTrack
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
new file mode 100644
index 0000000000..71f1bb7715
--- /dev/null
+++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
@@ -0,0 +1,45 @@
+
+>*Default setting: 5 minutes*
+
+[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
+
+You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+
+### Allowed values
+
+- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
+
+- **0** – No idle timer.
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure kiosk reset after idle timeout
+- **GP name:** ConfigureKioskResetAfterIdleTimeout
+- **GP element:** ConfigureKioskResetAfterIdleTimeout_TextBox
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode
+- **Value name:**ConfigureKioskResetAfterIdleTimeout
+- **Value type:** REG_DWORD
+
+
+
+### Related policies
+
+[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
+
+
+
+### Related topics
+[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience.
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
new file mode 100644
index 0000000000..f44608c9dc
--- /dev/null
+++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
@@ -0,0 +1,121 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured*
+
+
+[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | |
+|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.For details on how to configure the Enterprise Mode Site List, see the [Instructions](#instructions) section below. | |
+---
+
+### ADMX info and settings
+
+#### ADMX info
+- **GP English name:** Configure the Enterprise Mode Site List
+- **GP name:** EnterpriseModeSiteList
+- **GP element:** EnterSiteListPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode
+- **Value name:** SiteList
+- **Value type:** REG_SZ
+
+### Related Policies
+
+[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer):
+[!INCLUDE
+[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
+### Related topics
+
+- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
+
+- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+- [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
+
+- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
+
+- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11.
+
+### Scenarios
+
+Certain sites or web apps still use ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology, which Microsoft Edge does not support. If you have web sites or web apps that still use this technology and need IE11 to run, you must use Enterprise Mode and the Enterprise Mode Site List to address common compatibility issues with legacy apps. Enterprise Mode is a compatibility
+mode that runs on Internet Explorer 11 and Microsoft Edge on Windows 10 devices.
+
+### Instructions
+
+
+You build your Enterprise Mode list with the Enterprise Mode Site List Manager and apply it with Group Policy.
+
+To turn it on for IE 11, you enable [Use the Enterprise Mode IE website list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list),
+which is the equivalent to this Microsoft Edge policy.
+
+>[!NOTE]
+>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it is stored locally on your user's computer so if the centralized file location is unavailable, they can still use Enterprise Mode.
+
+- [Step 1. Turn on Enterprise Mode](#step-1-turn-on-enterprise-mode)
+- [Step 2. (Optional) Import your Enterprise Mode Site List](#step-2-optional-import-your-enterprise-mode-site-list)
+- [Step 3. Add sites to your list](#step-3-add-sites-to-your-list)
+- [Step 4. Turn on Enterprise Mode and use a site list](#step-4-set-up-microsoft-edge-to-use-the-enterprise-mode-site-list)
+- [Step 5. Send all intranet sites to Internet Explorer 11](#step-5-send-all-intranet-sites-to-internet-explorer-11)
+
+#### Step 1. Turn on Enterprise Mode
+
+[!INCLUDE [turn-on-enterprise-mode-and-use-a-site-list](../../enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md)]
+
+#### Step 2. (Optional) Import your Enterprise Mode Site List
+
+[!INCLUDE [import-into-the-enterprise-mode-site-list-mgr-include](../../includes/import-into-the-enterprise-mode-site-list-mgr-include.md)]
+
+#### Step 3. Add sites to your list
+
+1. In the Enterprise Mode Site List Manager, click **Add**.
+
+2. In the **URL** box, type or paste the URL for the website experiencing compatibility problems, like *\*.com or *\*.com/*\*.You do not need to include the `http://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. In the **Notes about URL**, enter any comments about the website.
Administrators can only see comments while they are in this tool.
+
+4. Click in the **Open in IE** column next to the URL that should open in IE11.
The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, Enterprise Mode is automatically selected.
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
If your site passes validation, it is added to the global compatibility list. If the site fails to pass validation, an error message displays explaining the problem. You can either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your Group Policy setting.
+
+#### Step 4. Set up Microsoft Edge to use the Enterprise Mode Site List
+
+add the steps here, if there are steps
+
+#### Step 5. Send all intranet sites to Internet Explorer 11
+
+Enabling the Send all intranet sites to Internet Explorer 11 policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
+
+1. In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
+
+2. Click **Enabled** and then refresh the policy and then vew the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
+
+### Troubleshooting
+
+- If an XML already exists, make sure it is syntactically correct.
+
+- If an update or delete operation failed, check if the entry already exists in the site list.
+
+- If a user is not able to sign in, the account might not have access. Check if the account is marked as active.
+
+- Check if the Enterprise Mode Site List is loaded correctly by browsing to "about:compat" in both Microsoft Edge and Internet Explorer. Deselect the Microsoft Compatibility List to see your custom entries.
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md
new file mode 100644
index 0000000000..611d62f935
--- /dev/null
+++ b/browsers/edge/includes/configure-favorites-bar-include.md
@@ -0,0 +1,36 @@
+
+>*Default setting: Not configured (Hidden)*
+
+
+[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)]
+
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Not configured
**(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. |
+|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. |
+|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Favorites Bar
+- **GP name:** ConfigureFavoritesBar
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureFavoritesBar](../new-policies.md#configure-favorites-bar)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** ConfigureFavoritesBar
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md
new file mode 100644
index 0000000000..e5b0666c42
--- /dev/null
+++ b/browsers/edge/includes/configure-favorites-include.md
@@ -0,0 +1,6 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured*
+
+
+>>deprecated
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md
new file mode 100644
index 0000000000..c18e8f645f
--- /dev/null
+++ b/browsers/edge/includes/configure-home-button-include.md
@@ -0,0 +1,52 @@
+
+>*Default setting: Disabled or not configured (Show home button and load the Start page)*
+
+
+[!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured
**(default)** |0 |0 |Show the home button and load the Start page. |
+|Enabled |1 |1 |Show the home button and load the New tab page. |
+|Enabled |2 |2 |Show the home button and load the custom URL defined in the Set Home Button URL policy. |
+|Enabled |3 |3 |Hide the home button. |
+---
+
+With these values, you can do any of the following configurations:
+
+
+
+
+
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Home Button
+- **GP name:** ConfigureHomeButton
+- **GP element:** ConfigureHomeButtonDropdown
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureHomeButton](../new-policies.md#configure-home-button)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ConfigureHomeButton
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
+
+- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md
new file mode 100644
index 0000000000..c04c0d0150
--- /dev/null
+++ b/browsers/edge/includes/configure-inprivate-include.md
@@ -0,0 +1,32 @@
+## Configure InPrivate
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured
+
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+| | | | | |
+| | | | | |
+| | | | | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:**
+- **GP name:**
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[]()
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\
+- **Value name:**
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
new file mode 100644
index 0000000000..dde0c0591d
--- /dev/null
+++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
@@ -0,0 +1,46 @@
+
+
+>*Default setting: Not configured*
+
+[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
+
+For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
+
+### Allowed values
+
+| | |
+|---|---|
+|(0) Default or not configured |- If it’s a single app, Microsoft Edge runs InPrivate full screen for digital signage or interactive displays.
- If it’s one of many apps, Microsoft Edge runs as normal.
|
+|(1) Enabled | |
+---
+
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure kiosk mode
+- **GP name:** ConfigureKioskMode
+- **GP element:** ConfigureKioskMode_TextBox
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureKioskMode](../new-policies.md#configure-kiosk-mode)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode
+- **Value name:** ConfigureKioskMode
+- **Value type:** REG_SZ
+
+### Related policies
+[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
+
+
+### Related topics
+[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience.
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md
new file mode 100644
index 0000000000..cbc5227902
--- /dev/null
+++ b/browsers/edge/includes/configure-open-edge-with-include.md
@@ -0,0 +1,67 @@
+
+>*Default setting: Enabled (A specific page or pages)*
+
+[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
+
+**Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL.
+
+**Version 1810:**
When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
+|Enabled |0 |0 |Loads the Start page. |
+|Enabled |1 |1 |Load the New tab page. |
+|Enabled |2 |2 |Load the previous pages. |
+|Enabled
**(default)** |3 |3 |Load a specific page or pages. |
+---
+
+### Configuration combinations
+| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
+| --- | --- | --- | --- |
+| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. |
+| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .|
+| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. |
+| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. |
+| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. |
+| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. |
+| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. |
+---
+
+
+If you want to make changes to this policy:
- Set the Disabled Lockdown of Start Pages to not configured.
- Make changes to the Configure Open Microsoft With policy.
- Enable the Disabled Lockdown of Start Pages.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Open Microsoft Edge With
+- **GP name:** ConfigureOpenMicrosoftEdgeWith
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureOpenEdgeWith](../new-policies.md#configure-open-microsoft-edge-with)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ConfigureOpenEdgeWith
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+
+- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+
+
+
+
+
+---
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md
new file mode 100644
index 0000000000..e4fd5ea88c
--- /dev/null
+++ b/browsers/edge/includes/configure-password-manager-include.md
@@ -0,0 +1,39 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Allowed)
+
+[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |Blank |Blank |Users can choose whether to save and manage passwords locally. | |
+|Disabled |0 |no |Not allowed. | |
+|Enabled
**(default)** |1 |yes |Allowed. | |
+---
+
+Verify not allowed/disabled settings:
+1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…).
+2. Click **Settings** and select **View Advanced settings**.
+3. Verify the settings **???** are greyed out.
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Password Manager
+- **GP name:** AllowPasswordManager
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** FormSuggest Passwords
+- **Value type:** REG_SZ
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md
new file mode 100644
index 0000000000..0aac032d4b
--- /dev/null
+++ b/browsers/edge/includes/configure-pop-up-blocker-include.md
@@ -0,0 +1,34 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled (Turned off)*
+
+[!INCLUDE [configure-pop-up-blocker-shortdesc](../shortdesc/configure-pop-up-blocker-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | |
+|Disabled
**(default)** |0 |0 |Turns off Pop-up Blocker letting pop-ups windows appear. | |
+|Enabled |1 |1 |Turns on Pop-up Blocker stopping pop-up windows from appearing. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Pop-up Blocker
+- **GP name:** AllowPopups
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups
+- **Data type:** Integer
+
+### Registry
+- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+- **Value name:** AllowPopups
+- **Value type:** REG_SZ
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
new file mode 100644
index 0000000000..1374e9fcd8
--- /dev/null
+++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
@@ -0,0 +1,34 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Not configured*
+
+[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | |
+|Disabled |0 |0 |Hides the search suggestions. | |
+|Enabled |1 |1 |Shows the search suggestions. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure search suggestions in Address bar
+- **GP name:** AllowSearchSuggestionsinAddressBar
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
+- **Value name:** ShowSearchSuggestionsGlobal
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md
new file mode 100644
index 0000000000..857f6cdf5a
--- /dev/null
+++ b/browsers/edge/includes/configure-start-pages-include.md
@@ -0,0 +1,129 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Blank or not configured (Load pages specified in App settings)*
+
+[!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |Blank |Blank |Microsoft Edge loads the pages specified in App settings as the default Start pages. | |
+|Enabled | | |Enter URLs to the pages, separating multiple pages by using angle brackets in the following format:\\**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it is the only configured URL.**Version 1810:**
When you enable the Configure Open Microsoft Edge With policy with an option selected, and you enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. | |
+---
+
+### Configuration combinations
+| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
+| --- | --- | --- | --- |
+| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | [\#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.](#1-load-the-urls-defined-in-the-configure-open-microsoft-edge-with-policy-and-allow-users-to-edit-all-configured-start-pages) |
+| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | [\#2: Load any start page and allow users to edit their Start pages.](#2-load-any-start-page-configured-using-the-configured-start-pages-policy-and-allow-users-to-edit-their-start-pages) |
+| Enabled (Start page) | Enabled – String | Blank or not configured | [\#3: Load Start page(s) and prevent users from changing it.](#3-load-the-start-pages-and-prevent-users-from-making-changes) |
+| Enabled (New tab page) | Enabled – String | Blank or not configured | [\#4: Load New tab page and prevent users from changing it.](#4-load-the-new-tab-page-and-prevent-users-from-making-changes) |
+| Enabled (Previous pages) | Enabled – String | Blank or not configured | [\#5: Load previously opened pages and prevent users from changing it.](#5-load-the-previously-opened-pages-that-were-opened-when-microsoft-edge-last-closed-and-prevent-users-from-making-changes) |
+| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | [\#6: Load a specific page or pages and prevent users from changing it.](#6-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-prevent-users-from-making-changes) |
+| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | [\#7: Load a specific page or pages and allow users to make changes to their Start page.](#7-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-allow-users-to-make-changes-to-their-start-page) |
+| N/A | Blank or not configured | N/A | Microsoft Edge loads the pages specified in App settings as the default Start pages. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Start pages
+- **GP name:** HomePages
+- **GP element:** HomePagesPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ProvisionedHomePages
+- **Value type:** REG_SZ
+
+
+### Related policies
+
+- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+
+- [Configure Start Pages](#configure-start-pages-include): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+
+### Scenarios
+
+#### \#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.
+
+1. Enable the **Configure Open Microsoft Edge With** policy. Applies to all options for this policy.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *All configured start pages are editable*.
+
+---
+
+#### \#2: Load any start page and allow users to edit their Start pages.
+
+1. Disable or don't configure the **Configure Open Microsoft Edge With** policy.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets in the following format: \\
+
+3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *Start pages are not editable*.
+
+---
+
+#### \#3: Load Start page(s) and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Start page*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+---
+
+#### \#4: Load New tab page and prevent users from changing it..
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *New tab page*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+---
+
+
+#### \#5: Load previously opened pages and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Previous pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+---
+
+
+#### \#6: Load a specific page or pages and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+---
+
+
+#### \#7: Load a specific page or pages and allow users to make changes to their Start page.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Enable **Disabled Lockdown of Start Pages** by selecting *Start pages are not editable*.
+
+---
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
new file mode 100644
index 0000000000..3752670d09
--- /dev/null
+++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
@@ -0,0 +1,40 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Turned on)*
+
+[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../shortdesc/configure-windows-defender-smartscreen-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | |
+|Disabled |0 |0 |Turned off. Does not protect users from potential threats and preventing users from turning it on. | |
+|Enabled |1 |1 |Turned on. Protects users from potential threats and prevents users from turning it off. | |
+---
+
+To verify Windows Defender SmartScreen is turned off (disabled):
+1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**).
+2. Click **Settings** and select **View Advanced Settings**.
+3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Windows Defender SmartScreen
+- **GP name:** AllowSmartScreen
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
+- **Value name:** EnabledV9
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
new file mode 100644
index 0000000000..dc85c9cd65
--- /dev/null
+++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
@@ -0,0 +1,121 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Start pages are not editable)*
+
+[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. | |
+|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
+---
+
+### Configuration combinations
+| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
+| --- | --- | --- | --- |
+| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | [\#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.](#1-load-the-urls-defined-in-the-configure-open-microsoft-edge-with-policy-and-allow-users-to-edit-all-configured-start-pages) |
+| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | [\#2: Load any start page and allow users to edit their Start pages.](#2-load-any-start-page-configured-using-the-configured-start-pages-policy-and-allow-users-to-edit-their-start-pages) |
+| Enabled (Start page) | Enabled – String | Blank or not configured | [\#3: Load Start page(s) and prevent users from changing it.](#3-load-the-start-pages-and-prevent-users-from-making-changes) |
+| Enabled (New tab page) | Enabled – String | Blank or not configured | [\#4: Load New tab page and prevent users from changing it.](#4-load-the-new-tab-page-and-prevent-users-from-making-changes) |
+| Enabled (Previous pages) | Enabled – String | Blank or not configured | [\#5: Load previously opened pages and prevent users from changing it.](#5-load-the-previously-opened-pages-that-were-opened-when-microsoft-edge-last-closed-and-prevent-users-from-making-changes) |
+| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | [\#6: Load a specific page or pages and prevent users from changing it.](#6-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-prevent-users-from-making-changes) |
+| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | [\#7: Load a specific page or pages and allow users to make changes to their Start page.](#7-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-allow-users-to-make-changes-to-their-start-page) |
+| N/A | Blank or not configured | N/A | Microsoft Edge loads the pages specified in App settings as the default Start pages. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Disable lockdown of Start pages
+- **GP name:** DisableLockdownOfStartPages
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[DisableLockdownOfStartPages]()
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** DisableLockdownOfStartPages
+- **Value type:** REG_SZ
+
+
+### Scenarios
+#### \#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.
+
+1. Enable the **Configure Open Microsoft Edge With** policy. Applies to all options for this policy.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *All configured start pages are editable*.
+
+
+#### \#2: Load any start page and allow users to edit their Start pages.
+
+1. Disable or don't configure the **Configure Open Microsoft Edge With** policy.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets in the following format: \\
+
+3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *Start pages are not editable*.
+
+
+#### \#3: Load Start page(s) and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Start page*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+
+#### \#4: Load New tab page and prevent users from changing it..
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *New tab page*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+
+#### \#5: Load previously opened pages and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Previous pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+
+#### \#6: Load a specific page or pages and prevent users from changing it.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
+
+
+#### \#7: Load a specific page or pages and allow users to make changes to their Start page.
+
+1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.
+
+2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:
\\
+
+3. Enable **Disabled Lockdown of Start Pages** by selecting *Start pages are not editable*.
+
+
+### Related Policies
+- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+
+- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
+
+
+### Related topics
+
+[Microsoft browser extension policy](aka.ms/browser policy)
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md
new file mode 100644
index 0000000000..b1fc2dd88c
--- /dev/null
+++ b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md
@@ -0,0 +1,31 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured*
+
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+| | | | | |
+| | | | | |
+| | | | | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:**
+- **GP name:**
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[]()
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\
+- **Value name:**
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md
new file mode 100644
index 0000000000..ef3c1b0884
--- /dev/null
+++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md
@@ -0,0 +1,68 @@
+
+>*Default setting: Disabled or not configured (Allowed/turned on)*
+
+[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. |
+|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the Sync your Settings option. |
+---
+
+### Configuration options
+
+#### Sync the browser settings automatically:
+**Disable** both the Do not sync browser settings Prevent users from turning on browser syncing policies.
+
+#### Prevent syncing of browser settings and prevent users from turning it on:
+1. **Enable** the Do not sync browser settings policy.
+2. **Enable** or don’t configure this policy (Prevented/turned off).
+
+#### Prevent syncing of browser settings and give users a choice to turn on syncing:
+1. **Enable** the Do not sync browser settings policy.
+2. **Disable** this policy (Allowed/turned on).
+
+#### Syncing turned off by default but not disabled:
+1. **Enable** the Do not sync browser setting policy.
+2. Select the _Allow users to turn “browser” syncing_ option.
+
+#### Verify configuration
+To verify if syncing is turned on or off:
+1. In the upper-right corner of Microsoft Edge, click the ellipses \(**...**\).
+2. Click **Settings**.
+3. Under Account, see if the setting is toggled on or off.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Do not sync browser settings
+- **GP name:** DoNotSyncBrowserSetting
+- **GP path:** Windows Components/Sync your settings
+- **GP ADMX file name:** SettingSync.admx
+
+#### MDM settings
+- **MDM name:** Experience/[Experience/DoNotSyncBrowserSetting](../new-policies.md#donotsyncbrowsersetting)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSetting
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\\Software\Policies\Microsoft\Windows\SettingSync
+- **Value name:** DisableWebBrowserSettingSyncUserOverride
+- **Value type:** REG_DWORD
+
+
+### Related policies
+
+[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
+
+
+
+### Related topics
+
+[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices)
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md
new file mode 100644
index 0000000000..b9b5bd42c8
--- /dev/null
+++ b/browsers/edge/includes/do-not-sync-include.md
@@ -0,0 +1,25 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured (Turned on)*
+
+[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | |
+|Enabled |2 |2 |Prevented/turned off. Disables the Sync your Settings toggle and prevents syncing. | |
+---
+
+### ADMX info and settings
+| |
+|---|
+|**ADMX info**- **GP English name:** Do not sync
- **GP name:** AllowSyncMySettings
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx
**MDM settings**- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings
- **Data type:** Integer
**Registry**- **Path:** HKLM\Software\Policies\Microsoft\Windows\SettingSync
- **Value name:** DisableSettingSync
- **Value type:** REG_DWORD
|
+---
+
+### Related topics
+[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed.
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md
new file mode 100644
index 0000000000..3f6b0aa3ce
--- /dev/null
+++ b/browsers/edge/includes/edge-respects-applocker-lists-include.md
@@ -0,0 +1,22 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured
+
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+| | | | | |
+| | | | | |
+| | | | | |
+---
+
+### ADMX info and settings
+| | |
+|---|---|
+|ADMX info |- **GP English name:**
- **GP name:**
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx
|
+|MDM settings |- **MDM name:** Browser/[]()
- **Supported devices:** Desktop and Mobile
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
- **Data type:** Integer
|
+|Registry |- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\
- **Value name:**
- **Value type:** REG_DWORD
|
+---
+
+
+---
\ No newline at end of file
diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md
new file mode 100644
index 0000000000..f724a38af6
--- /dev/null
+++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md
@@ -0,0 +1 @@
+[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode.
\ No newline at end of file
diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
new file mode 100644
index 0000000000..f5fbad9aef
--- /dev/null
+++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
@@ -0,0 +1,43 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Turned off/not syncing)*
+
+[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing. | |
+|Enabled |1 |1 |Turned on/syncing. | |
+---
+
+### Configuration combinations
+### Configuration combinations
+| **Keep favorites in sync between IE and Microsoft Edge** | **Provision Favorites** | **Outcome** |
+| --- | --- | --- |
+| Disabled or not configured (default) | Disabled or not configured (default) | **Turned off/not syncing**. Microsoft Edge prevents users from syncing their favorites. |
+| Enabled (turned on/syncing) | Disabled or not configured (default) | **Turned on/syncing**. Syncs favorites between Internet Explorer and Microsoft Edge. |
+| Enabled (turned on/syncing) | Enabled (provision list of favorites) | **Turned off/not syncing**. Microsoft Edge prevents users from syncing their favorites. |
+| Disabled or not configured (default) | Enabled (provision list of Favorites) | **Turned on/syncing**. Syncs favorites between Internet Explorer and Microsoft Edge. |
+---
+
+### ADMX info and settings
+### ADMX info
+- **GP English name:** Keep favorites in sync between Internet Explorer and Microsoft Edge
+- **GP name:** SyncFavoritesBetweenIEAndMicrosoftEdge
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** SyncFavoritesBetweenIEAndMicrosoftEdge
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md
new file mode 100644
index 0000000000..c0590648fa
--- /dev/null
+++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md
@@ -0,0 +1 @@
+[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment.
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md
new file mode 100644
index 0000000000..7c25f2e218
--- /dev/null
+++ b/browsers/edge/includes/prevent-access-about-flag-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured (Allowed)*
+
+[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../shortdesc/prevent-access-to-about-flags-page-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed. | |
+|Enabled |1 |1 |Prevents users from access the about:flags page. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent access to the about:flags page in Microsoft Edge
+- **GP name:** PreventAccessToAboutFlagsInMicrosoftEdge
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** PreventAccessToAboutFlagsInMicrosoftEdge
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md
new file mode 100644
index 0000000000..efbe7b14d1
--- /dev/null
+++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)*
+
+[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | |
+|Enabled |1 |1 |Prevented/turned on. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for files
+- **GP name:** PreventSmartScreenPromptOverrideForFiles
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
+- **Value name:** PreventOverrideAppRepUnknown
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md
new file mode 100644
index 0000000000..eeaf631687
--- /dev/null
+++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/turned off)*
+
+[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to the site.| |
+|Enabled |1 |1 |Prevented/turned on. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent bypassing Windows Defender SmartScreen prompts for sites
+- **GP name:** PreventSmartscreenPromptOverride
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter
+- **Value name:** PreventOverride
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
new file mode 100644
index 0000000000..469a2dc632
--- /dev/null
+++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
@@ -0,0 +1,31 @@
+
+>*Default setting: Disabled or not configured (Allowed/turned off)*
+
+[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)]
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | |
+|Enabled |1 |1 |Prevented/turned on. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent certificate error overrides
+- **GP name:** PreventCertErrorOverrides
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventCertErrorOverrides](../new-policies.md#prevent-certificate-error-overrides)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** Software\Policies\Microsoft\MicrosoftEdge\Internet Setting
+- **Value name:** PreventCertErrorOverrides
+- **Value type:** REG_DWORD
+
+
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md
new file mode 100644
index 0000000000..c0c3746933
--- /dev/null
+++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Default setting: Disabled or not configured (Allowed/not locked down)*
+
+[!INCLUDE [prevent-changes-to-favorites-shortdesc](../shortdesc/prevent-changes-to-favorites-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | |
+|Enabled |1 |1 |Prevented/locked down. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent changes to Favorites on Microsoft Edge
+- **GP name:** LockdownFavorites
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Favorites
+- **Value name:** LockdownFavorites
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md
new file mode 100644
index 0000000000..2e9f993088
--- /dev/null
+++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Allowed)*
+
+[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed. Microsoft Edge loads the welcome page. | |
+|Enabled |1 |1 |Prevented. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent the First Run webpage from opening on Microsoft Edge
+- **GP name:** PreventFirstRunPage
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage
+- **Data type:** Integer
+
+####Registry
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** PreventFirstRunPage
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
new file mode 100644
index 0000000000..b13b6ccd49
--- /dev/null
+++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Disabled or not configured (Collected and sent)*
+
+[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | |
+|Enabled |1 |1 |Not collected and sent. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
+- **GP name:** PreventLiveTileDataCollection
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection
+- **Data type:** Integer
+
+#### Registry settings
+**- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
+**Value name:** PreventLiveTileDataCollection
+**Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md
new file mode 100644
index 0000000000..04b461121a
--- /dev/null
+++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md
@@ -0,0 +1,33 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)*
+
+[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |Allowed. Shows localhost IP addresses. | |
+|Enabled |1 |1 |Prevented. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent using Localhost IP address for WebRTC
+- **GP name:** HideLocalHostIPAddress
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** HideLocalHostIPAddress
+- **Value type:** REG_DWORD
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
new file mode 100644
index 0000000000..8b6ea6acbf
--- /dev/null
+++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
@@ -0,0 +1,45 @@
+
+>*Default setting: Disabled or not configured (Allowed)*
+
+[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |Description |
+|---|---|
+|Disabled or not configured
**(default)** |Provide a semi-colon delimited list of extension PFNs. For example, adding _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ or _Microsoft.OfficeOnline8wekyb3d8bbwe_ prevents a user from turning off the OneNote Web Clipper and Office Online extension. After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. |
+|Enabled |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent turning off required extensions
+- **GP name:** PreventTurningOffRequiredExtensions
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](../new-policies.md#prevent-turning-off-required-extensions)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions
+- **Value name:** PreventTurningOffRequiredExtensions
+- **Value type:** REG_SZ
+
+### Related policies
+[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)]
+
+
+### Related topics
+
+- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN.
+- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/en-us/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal.
+- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not they are managed by Intune.
+- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune.
+- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. These types of apps are typically written in-house.
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
new file mode 100644
index 0000000000..c59893611a
--- /dev/null
+++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
@@ -0,0 +1,46 @@
+
+
+>*Default setting: Enabled or not configured (Prevented/turned off)*
+
+[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
+
+### Allowed values
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. |
+|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. |
+---
+
+### Configuration options
+
+| **Do not sync browser settings** | **Prevent users from turning on browser syncing** | **Result** |
+| --- | --- | --- |
+| Disabled or not configured (0 default) – Turned on. Let users make changes | Disabled (0 default) | Sync browser settings automatically. |
+| Disabled or not configured (0 default) – Turned on. Let users make changes | Enabled or not configured (1) | Sync browser settings automatically. |
+| Enabled (2) – Prevented/turned off | Disabled (0 default) | Prevent syncing of browser settings and let users choose to turn it on. |
+| Enabled (2) – Turned off | Enabled or not configured (1) | Prevent syncing of browser settings and prevents users from turning on syncing. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Prevent users from turning on browser syncing
+- **GP name:** PreventUsersFromTurningOnBrowserSyncing
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing
+- **Data type:** String
+
+
+### Related policies
+[Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)].
+
+### Related topics
+[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices)
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md
new file mode 100644
index 0000000000..6ed0f7f204
--- /dev/null
+++ b/browsers/edge/includes/provision-favorites-include.md
@@ -0,0 +1,49 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+>*Default setting: Disabled or not configured (Customizable)*
+
+[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
+
+>[!IMPORTANT]
+>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
+
+### Allowed values
+
+|Group Policy |Description |Most restricted |
+|---|---|:---:|
+|Disabled or not configured
**(default)** |Default list of favorites not defined in Microsoft Edge. In this case, the Favorites list is customizable, such as adding folders, or adding and removing favorites. | |
+|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file**, and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=http://localhost:8080/URLs.html
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html
| |
+---
+
+### Configuration combinations
+| **Keep favorites in sync between IE and Microsoft Edge** | **Provision Favorites** | **Outcome** |
+| --- | --- | --- |
+| Disabled or not configured (default) | Disabled or not configured (default) | **Turned off/not syncing**. Microsoft Edge prevents users from syncing their favorites. |
+| Enabled (turned on/syncing) | Disabled or not configured (default) | **Turned on/syncing**. Syncs favorites between Internet Explorer and Microsoft Edge. |
+| Enabled (turned on/syncing) | Enabled (provision list of favorites) | **Turned off/not syncing**. Microsoft Edge prevents users from syncing their favorites. |
+| Disabled or not configured (default) | Enabled (provision list of Favorites) | **Turned on/syncing**. Syncs favorites between Internet Explorer and Microsoft Edge. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Provision Favorites
+- **GP name:** ConfiguredFavorites
+- **GP element:** ConfiguredFavoritesPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Favorites
+- **Value name:** ConfiguredFavorites
+- **Value type:** REG_SZ
+
+### Related policies
+[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md
new file mode 100644
index 0000000000..e550bc4e57
--- /dev/null
+++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md
@@ -0,0 +1 @@
+[Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.
\ No newline at end of file
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
new file mode 100644
index 0000000000..6fbca02b24
--- /dev/null
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@@ -0,0 +1,53 @@
+
+>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Disabled or not configured*
+
+[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
+
+>[!TIP]
+>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. Allowed values.
+
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. | |
+|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** - Click **Enabled** and then refresh the policy and then vew the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
+---
+
+### Configuration combinations
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Send all intranet sites to Internet Explorer 11
+- **GP name:** SendIntranetTraffictoInternetExplorer
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+- **Value name:** SendIntranetTraffictoInternetExplorer
+- **Value type:** REG_DWORD
+
+### Related Policies
+- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
+
+- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
+
+### Related topics
+- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge.
+
+- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
+
+- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md
new file mode 100644
index 0000000000..4f1d34a791
--- /dev/null
+++ b/browsers/edge/includes/set-default-search-engine-include.md
@@ -0,0 +1,62 @@
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Default setting: Not configured (Defined in App settings)*
+
+[!INCLUDE [set-default-search-engine-shortdesc](../shortdesc/set-default-search-engine-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Not configured
**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | |
+|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | |
+|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market set the string to EDGEDEFAULT.
If you would like users to use Microsoft Bing as the default search engine set the string to EDGEBING. | |
+---
+
+### Configuration combinations
+
+| **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** |
+| --- | --- | --- | --- |
+| Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. |
+| Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. |
+| Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. |
+| Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. |
+| Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. |
+| Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. |
+---
+
+
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Set default search engine
+- **GP name:** SetDefaultSearchEngine
+- **GP element:** SetDefaultSearchEngine_Prompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch
+- **Value name:** SetDefaultSearchEngine
+- **Value type:** REG_SZ
+
+### Related policies
+
+- [Configure additional search engines](../available-policies.md#configure-additional-search-engines): [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)]
+
+- [Allow search engine customization](../available-policies.md#allow-search-engine-customization): [!INCLUDE [allow-search-engine-customization-shortdesc](../shortdesc/allow-search-engine-customization-shortdesc.md)]
+
+### Related topics
+
+- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
+
+- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites.
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md
new file mode 100644
index 0000000000..2b4e632d2f
--- /dev/null
+++ b/browsers/edge/includes/set-home-button-url-include.md
@@ -0,0 +1,56 @@
+
+>*Default setting: Disabled or not configured (Blank)*
+
+[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured
**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. |
+|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com. A custom URL loads when clicking the home button. You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. |
+---
+
+With these values, you can do any of the following configurations:
+
+#### Show the home button, load a custom URL, and let users make changes:
+1. **Configure Home Button:** Enable and select the _Show the home button & set a specific page_ option.
+2. **Set Home Button URL:** Enter a URL in string format, for example, https://www.bing.com.
+3. **Unlock Home Button:** Enable to let users make changes.
+
+#### Show the home button, load a custom URL, and prevent users from making changes:
+1. **Configure Home Button:** Enable and select the _Show the home button & set a specific page_ option.
+2. **Set Home Button URL:** Enter a URL in string format, for example, https://www.bing.com.
+3. **Unlock Home Button:** Leave disabled or not configured.
+
+#### Hide the home button:
+Enable the **Configure Home Button** policy and select the _Hide home button_ option.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Set Home Button URL
+- **GP name:** SetHomeButtonURL
+- **GP element:** SetHomeButtonURLPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SetHomeButtonURL](../new-policies.md#set-home-button-url)
+- **Supported devices:** Desktop and Mobile
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ConfigureHomeButtonURL
+- **Value type:** REG_SZ
+
+### Related policies
+
+- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
+
+- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
+
+
diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md
new file mode 100644
index 0000000000..8e2bd06c1d
--- /dev/null
+++ b/browsers/edge/includes/set-new-tab-url-include.md
@@ -0,0 +1,39 @@
+
+>*Default setting: Disabled or not configured (Blank)*
+
+[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured
**(default)** |Blank |Blank |Load the default New tab page. |
+|Enabled - String |String |String |Prevent users from changing the New tab page.Enter a URL in string format, for example, https://www.msn.com. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Set New Tab page URL
+- **GP name:** SetNewTabPageURL
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SetNewTabPageURL](../new-policies.md#set-new-tab-page-url)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** NewTabPageUR
+- **Value type:** REG_SZ
+
+
+### Related policies
+
+[Allow web content on New Tab page](../new-policies.md#allowwebcontentonnewtabpage): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md
new file mode 100644
index 0000000000..257c6ef4b9
--- /dev/null
+++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md
@@ -0,0 +1,42 @@
+
+>*Default setting: Disabled or not configured (No additional message)*
+
+
+[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |Most restricted |
+|---|:---:|:---:|---|:---:|
+|Disabled or not configured
**(default)** |0 |0 |No additional message displays. | |
+|Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | |
+|Enabled |2 |2 |Show an additional message with a "Keep going in Microsoft Edge" link. | |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Show message when opening sites in Internet Explorer
+- **GP name:** ShowMessageWhenOpeningSitesInInternetExplorer
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](../new-policies.md#show-message-when-opening-sites-in-internet-explorer)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
+- **Value name:** ShowMessageWhenOpeningSitesInInternetExplorer
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
+
+- [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11): [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md
new file mode 100644
index 0000000000..212962b41d
--- /dev/null
+++ b/browsers/edge/includes/unlock-home-button-include.md
@@ -0,0 +1,40 @@
+
+>*Default setting: Disabled or not configured (Home button is locked)*
+
+[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
+
+### Allowed values
+
+|Group Policy |MDM |Registry |Description |
+|---|:---:|:---:|---|
+|Disabled or not configured
**(default)** |0 |0 |Lock down the home button to prevent users from making changes. |
+|Enabled |1 |1 |Let users make changes. |
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Unlock Home Button
+- **GP name:** UnlockHomeButton
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[UnlockHomeButton](../new-policies.md#unlock-home-button)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** UnlockHomeButton
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
+
+- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
+
+
+
\ No newline at end of file
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
new file mode 100644
index 0000000000..a1a7506f3a
--- /dev/null
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -0,0 +1,328 @@
+---
+description: Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access.
+ms.assetid:
+author: shortpatti
+ms.author: pashort
+ms.prod: edge
+ms.sitesec: library
+title: Deploy Microsoft Edge kiosk mode
+ms.localizationpriority: high
+ms.date: 07/18/2018
+---
+
+# Deploy Microsoft Edge kiosk mode (Preview)
+
+>Applies to: Microsoft Edge on Windows 10
+>Preview build 17718
+
+Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+
+When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge.
+
+Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity.
+
+In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience.
+
+
+
+## Microsoft Edge kiosk types
+Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
+
+### Single-app kiosk
+
+When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage).
+
+The single-app Microsoft Edge kiosk mode types include:
+
+1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage are an interactive museum display and restaurant order/pay station.
+
+2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device.
+
+ 
+
+### Multi-app kiosk
+When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device.
+
+The multi-app Microsoft Edge kiosk mode types include:
+
+3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. Examples of public browsing include an information kiosk device at a public library or hotel concierge desk that provides access to Microsoft Edge and other app(s).
+
+ 
+
+4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
+
+ 
+
+## Let’s get started!
+Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using:
+
+- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.
+
+- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access.
+
+ >[!NOTE]
+ >For other MDM service, check with your provider for instructions.
+
+- **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).
+
+- **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1).
+
+### Prerequisites
+
+- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+
+- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
+
+### Use Windows Settings
+
+Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses.
+
+1. In Windows Settings, select **Accounts** \> **Other people**.
+
+2. Under **Set up a kiosk**, select **Assigned access**.
+
+3. Select **Get started**.
+
+4. Create a standard user account or choose an existing account for your kiosk.
+
+5. Select **Next**.
+
+6. On the **Choose a kiosk app** page, select **Microsoft Edge.**
+
+7. Select **Next**.
+
+8. Select how Microsoft Edge displays when running in kiosk mode:
+
+ - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls.
+
+ - **As a public browser**, the default URL shows in a browser view with limited browser controls.
+
+9. Select **Next**.
+
+10. Enter the URL that you want to load when the kiosk launches.
+
+ >[!NOTE]
+ >The URL sets the Home button, Start page, and New tab page.
+
+11. 11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value.
+
+12. Select **Next**, and then select **Close**.
+
+13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on.
+
+14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Related policies](#related-policies).
+
+15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account.
+
+**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode.
+
+**_Next steps._**
+- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app.
+- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge.
+
+ 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**.
+
+ 2. Under **Set up a kiosk**, select **Assigned access**.
+
+ 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+
+### Use Microsoft Intune or other MDM service
+
+With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device.
+
+1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
+
+2. Configure the following MDM settings to control a web browser app on the kiosk device.
+
+ | | |
+ |---|---|
+ | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)** | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge running in assigned access
- **1** - InPrivate public browsing with other apps
|
+ | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)** | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
|
+ | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)** | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,
\\ |
+ | **[ConfigureHomeButton](new-policies.md#configure-home-button)** | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
|
+ | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)** | Set a custom URL for the New tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
+ | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ ---
+
+3. Restart the device and sign in using the kiosk app user account.
+
+**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+
+**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app.
+
+### Use a provisioning package
+
+With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device.
+
+1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access.
+
+2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor.
+
+3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies:
+
+ | | |
+ |---|---|
+ | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge running in assigned access
- **1** - InPrivate public browsing with other apps
|
+ | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)** | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
|
+ | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)** | Set one or more start pages, URLs, to load when Microsoft Edge launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,
\\ |
+ | **[ConfigureHomeButton](new-policies.md#configure-home-button)** | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
|
+ | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)** | Set a custom URL for the New tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
+ | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ ---
+
+4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package.
+
+5. Click **Finish**. The wizard closes taking you back to the Customizations page.
+
+6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package).
+
+**_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode.
+
+**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app.
+
+## Related policies
+
+Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser).
+
+| **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** |
+|------------------|:---------:|:---------:|:---------:|:---------:|
+| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) |  |  |  |  |
+| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) |  |  |  |  |
+| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) |  |  |  |  |
+| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |  |  |  |  |
+| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) |  |  |  |  |
+| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) |  |  |  |  |
+| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) |  |  |  |  |
+| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) |  |  |  |  |
+| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |  |  |  |  |
+| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | 2 |  |  |  |
+| [AllowFullscreen](new-policies.md#allow-fullscreen-mode)\* |  |  |  |  |
+| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) |  |  |  |  |
+| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
+| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
+| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
+| [AllowPrelaunch](new-policies.md#allow-prelaunch)\* |  |  |  |  |
+| [AllowPrinting](new-policies.md#allow-printing)\* |  |  |  |  |
+| [AllowSavingHistory](new-policies.md#allow-saving-history)\* |  |  |  |  |
+| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSideloadingOfExtensions](new-policies.md#allow-sideloading-of-extensions)\* |  |  |  |  |
+| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) |  |  |  |  |
+| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |  |  |  |  |
+| [AllowTabPreloading](new-policies.md#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)\* |  |  |  |  |
+| [AllowWebContentOnNewTabPage](new-policies.md#allowwebcontentonnewtabpage)\* |  |  |  |  |
+| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |  |  |  |  |
+| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |  |  |  |  |
+| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) |  |  |  |  |
+| [ConfigureFavoritesBar](new-policies.md#configure-favorites-bar)\* |  |  |  |  |
+| [ConfigureHomeButton](new-policies.md#configure-home-button)\* |  |  |  |  |
+| [ConfigureKioskMode](new-policies.md#configure-kiosk-mode)\* |  |  |  |  |
+| [ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)\* |  |  |  |  |
+| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* |  |  |  |  |
+| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* |  |  |  |  |
+| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
+| [DoNotSyncBrowserSetting](new-policies.md#donotsyncbrowsersetting)\* and [PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* |  |  |  |  |
+| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
+| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
+| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
+| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) |  |  |  |  |
+| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |  |  |  |  |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) |  |  |  |  |
+| [PreventCertErrorOverrides](new-policies.md#prevent-certificate-error-overrides)\* |  |  |  |  |
+| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) |  | |  |  |
+| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) |  |  |  |  |
+| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) |  |  |  |  |
+| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) |  |  |  |  |
+| [PreventTurningOffRequiredExtensions](new-policies.md#prevent-turning-off-required-extensions)\* |  |  |  |  |
+| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) |  |  |  |  |
+| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |  |  |  |  |
+| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) |  |  | 1 |  |
+| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) |  |  |  |  |
+| [SetHomeButtonURL](new-policies.md#set-home-button-url)\* |  |  |  |  |
+| [SetNewTabPageURL](new-policies.md#set-new-tab-page-url)\* |  |  |  |  |
+| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |  |  | 1 |  |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) |  |  | 1 |  |
+| [UnlockHomeButton](new-policies.md#unlock-home-button)\* |  |  |  |  |
+| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |  |  |  |  |
+---
+
+*\* New policy coming in the next release of Windows 10.*
+*1) For multi-app assigned access, you must configure Internet Explorer 11.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
+
+**Legend:**
+  = Not applicable or not supported
+  = Supported
+
+
+## Related topics
+
+- **[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage)**: Learn about the different methods to configuring your kiosks and digitals signs. Also, learn about the settings you can use to lock down the kiosk for a more secure kiosk experience.
+
+- **[Create a Kiosk Experience](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/create-a-kiosk-image):** Learn how to set up single-function kiosk devices, such as restaurant menus, and optional features for a welcome screen or power button availability. Also, learn how to create a multi-app kiosk, or fixed-purpose device, to provide an easy-to-understand experience giving users the things they need to use.
+
+- **[Configure a Windows 10 kiosk that runs multiple apps](https://aka.ms/Ckmq4n):** Learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device.
+
+- **[Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4):** In Windows 10, you can use assigned access to create a kiosk device, which enables users to interact with just a single Universal Windows app. Learn about the best practices for implementing a kiosk app.
+
+- **[Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3):** Assigned access restricts a local standard user account on the device so that it only has access to a single-function device, like a kiosk. Learn about the guidelines for choosing a Windows app, web browsers, and securing your information. Also, learn about additional configurations required for some apps before it can work properly in assigned access.
+
+- **[Other settings to lock down](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down):** Learn how to configure a more secure kiosk experience. In addition to the settings, learn how to set up **automatic logon** for your kiosk device. For example, when the kiosk device restarts, you can log back into the device manually or by setting up automatic logon.
+
+- **[Add apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add):** Learn about and understand a few app fundamentals and requirements before adding them to Intune and making them available to your users.
+
+- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+
+- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):**. Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings.
+
+## Known issues with RS_PRERELEASE build 17718
+
+- When you set up Microsoft Edge as your kiosk app and define the URL in assigned access Settings the URL, Microsoft Edge may not get launched with the configured URL.
+ - **Expected behavior** – Microsoft Edge kiosk mode opens the URL on startup.
+ - **Actual behavior** – Microsoft Edge kiosk mode may not open with the URL on startup.
+
+- • When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
+ - **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode.
+ - **Actual behavior** – Normal Microsoft Edge launches.
+
+- “Configure Favorites bar” policy when setting to enabled or 1 does not show the favorites bar in Microsoft Edge kiosk mode.
+ - **Expected behavior** – Microsoft Edge kiosk mode shows the favorites bar.
+ - **Actual behavior** – The favorites bar is hidden.
+
+- Extensions should not be available in Public browsing multi-app kiosk.
+ - **Expected behavior** – Extensions are disabled in _Settings and more_ menu.
+ - **Actual behavior** – Extensions are accessible in _Settings and more_ menu.
+
+- Books should not be available in Public browsing multi-app kiosk.
+ - **Expected behavior** – Books are disabled in _Settings and more_ menu.
+ - **Actual behavior** – Books are accessible in _Settings and more_ menu.
+
+
+## Provide feedback or get support
+
+To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+
+## Feature comparison of kiosk mode and kiosk browser app
+In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
+
+| **Feature** | **Microsoft Edge kiosk mode** | **Kiosk Browser** |
+|---------------|:----------------:|:---------------:|
+| Print support |  |  |
+| Multi-tab support |  |  |
+| Allow URL support | 
*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* |  |
+| Block URL support | 
*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* |  |
+| Configure Home button |  |  |
+| Set Start page(s) URL |  | 
*Same as Home button URL* |
+| Set New Tab page URL |  |  |
+| Favorites management |  |  |
+| End session button |  | 
*In Intune, must create custom URI to enable. Dedicated UI configuration targeted for 1808.* |
+| Reset on inactivity |  |  |
+| Internet Explorer integration (Enterprise Mode site list) | 
*Multi-app mode only* |  |
+---
+
+**\*Windows Defender Firewall**
+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
+
+---
\ No newline at end of file
diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md
new file mode 100644
index 0000000000..4bd38088f2
--- /dev/null
+++ b/browsers/edge/new-policies.md
@@ -0,0 +1,116 @@
+---
+description: Windows Insider Preview - The Microsoft Edge team introduces new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions.
+ms.assetid:
+author: shortpatti
+ms.author: pashort
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+title: New Microsoft Edge Group Policies and MDM settings
+ms.localizationpriority:
+ms.date: 07/18/2018
+---
+
+# New Microsoft Edge Group Policies and MDM settings (Preview)
+
+> Applies to: Microsoft Edge on Windows 10
+> Preview build 17718
+
+The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17718. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions.
+
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\
+
+
+
+- [Allow fullscreen mode](#allow-fullscreen-mode)
+- [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)
+- [Allow Prelaunch](#allow-prelaunch)
+- [Allow printing](#allow-printing)
+- [Allow Saving History](#allow-saving-history)
+- [Allow sideloading of Extensions](#allow-sideloading-of-extensions)
+- [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics)
+- [Configure Favorites Bar](#configure-favorites-bar)
+- [Configure Home Button](#configure-home-button)
+- [Configure kiosk mode](#configure-kiosk-mode)
+- [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout)
+- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with)
+- [Prevent certificate error overrides](#prevent-certificate-error-overrides)
+- [Prevent turning off required extensions](#prevent-turning-off-required-extensions)
+- [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing)
+- [Set Home button URL](#set-home-button-url)
+- [Set New Tab page URL](#set-new-tab-page-url)
+- _(Modified)_ [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites)
+- [Unlock Home button](#unlock-home-button)
+
+In addition to the new group policies, we added a couple of new MDM policies to align with the existing group policy counterpart.
+
+- [Experience/DoNotSyncBrowserSetting](#donotsyncbrowsersetting)
+- [Browser/AllowWebContentOnNewTabPage](#allowwebcontentonnewtabpage)
+
+We are also deprecating the **Configure Favorites** group policy because no MDM equivalent existed. Use the **[Provision Favorites](available-policies.md#provision-favorites)** in place of Configure Favorites.
+
+
+
+## Allow fullscreen mode
+[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)]
+
+## Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
+[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)]
+
+## Allow Prelaunch
+[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)]
+
+## Allow printing
+[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)]
+
+## Allow Saving History
+[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)]
+
+## Allow sideloading of Extensions
+[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)]
+
+## AllowWebContentOnNewTabPage
+[!INCLUDE [allow-web-content-new-tab-page-include](includes/allow-web-content-new-tab-page-include.md)]
+
+## Configure collection of browsing data for Microsoft 365 Analytics
+[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)]
+
+## Configure Favorites Bar
+[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)]
+
+## Configure Home Button
+[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)]
+
+## Configure kiosk mode
+[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)]
+
+## Configure kiosk reset after idle timeout
+[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)]
+
+## Configure Open Microsoft Edge With
+[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)]
+
+## DoNotSyncBrowserSetting
+[!INCLUDE [do-not-sync-browser-settings-include](includes/do-not-sync-browser-settings-include.md)]
+
+## Prevent certificate error overrides
+[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)]
+
+## Prevent turning off required extensions
+[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)]
+
+## Prevent users from turning on browser syncing
+[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)]
+
+## Set Home button URL
+[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)]
+
+## Set New Tab page URL
+[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)]
+
+## Show message when opening sites in Internet Explorer
+[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)]
+
+## Unlock Home button
+[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)]
+
diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
new file mode 100644
index 0000000000..ab30ba7a07
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
@@ -0,0 +1 @@
+You can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads book files automatically to a common, shared folder, and prevents users from removing the book from the library. When disabled, Microsoft Edge does not use a shared folder but downloads book files to a folder for each user. For this policy to work properly, users must be signed in with a school or work account.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md
new file mode 100644
index 0000000000..85e85e81fc
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the [Configure search suggestions in Address bar](../available-policies.md#configure-search-suggestions-in-address-bar) policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the Show search and site suggestions as I type toggle in Settings.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md
new file mode 100644
index 0000000000..6c0c3cf0be
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md
@@ -0,0 +1 @@
+Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md
new file mode 100644
index 0000000000..31127ca2d7
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
new file mode 100644
index 0000000000..872ac26597
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge automatically updates the configuration data for the Books Library. Disabling this policy prevents Microsoft Edge from updating the configuration data.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md
new file mode 100644
index 0000000000..2857a93d27
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md
@@ -0,0 +1 @@
+Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md
new file mode 100644
index 0000000000..b9bab04325
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md
new file mode 100644
index 0000000000..1c11de47c0
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md
@@ -0,0 +1 @@
+By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md
new file mode 100644
index 0000000000..2d1f8ec802
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md
new file mode 100644
index 0000000000..0ce0f11a60
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md
new file mode 100644
index 0000000000..75def749bb
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md
new file mode 100644
index 0000000000..a56056d3e9
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md
@@ -0,0 +1 @@
+During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
new file mode 100644
index 0000000000..cf14ea8715
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge pre-launches during Windows startup when the system is idle, and each time Microsoft Edge closes by default. When Microsoft Edge pre-launches, it runs as a background process waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent Microsoft Edge from pre-launching.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md
new file mode 100644
index 0000000000..07e8e98f42
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows users to print web content by default. With this policy though, you can configure Microsoft Edge to prevent users from printing web content.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md
new file mode 100644
index 0000000000..bec7172c23
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md
new file mode 100644
index 0000000000..2b4e25a7c3
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md
@@ -0,0 +1 @@
+By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md
new file mode 100644
index 0000000000..bb723ab0c6
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md
new file mode 100644
index 0000000000..5349cf7350
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
new file mode 100644
index 0000000000..911267bdb1
--- /dev/null
+++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge loads the default New tab page by default. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose how the New tab page appears.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md
new file mode 100644
index 0000000000..9a382427fa
--- /dev/null
+++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md
new file mode 100644
index 0000000000..105441a2b9
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md
@@ -0,0 +1 @@
+By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the [[Set default search engine]](../available-policies.md#set-default-search-engine) policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
new file mode 100644
index 0000000000..d0d0effbb0
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md
new file mode 100644
index 0000000000..247308fee8
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md
@@ -0,0 +1 @@
+By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md
new file mode 100644
index 0000000000..6a9cce12e0
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
new file mode 100644
index 0000000000..2dd965592f
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge allows all cookies from all websites. With this policy, however, you can configure Microsoft to block only 3rd-party cookies or block all cookies.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
new file mode 100644
index 0000000000..b2a565bf99
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge does not send Do Not Track requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
new file mode 100644
index 0000000000..2e4d10db74
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. With this policy, and you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and automatically switch to IE11. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md
new file mode 100644
index 0000000000..4536456e59
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
new file mode 100644
index 0000000000..6e44abbe67
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
@@ -0,0 +1,2 @@
+Being deprecated in RS5 >> You can configure a list of URLs and create a set of folders to appear in Microsoft Edge’s Favorites list. When you enable this policy, users cannot customize the Favorites list, such as adding folders for organizing, and adding or removing any of the favorites configured. By default, this policy is disabled or not configured allowing users to customize the Favorites list.
+
diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md
new file mode 100644
index 0000000000..2c132ae367
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the Home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md
new file mode 100644
index 0000000000..a0e1cbf398
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md
@@ -0,0 +1 @@
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md
new file mode 100644
index 0000000000..4772d2d2dd
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md
@@ -0,0 +1 @@
+You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md
new file mode 100644
index 0000000000..7383d68455
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md
new file mode 100644
index 0000000000..63a62cfff5
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
new file mode 100644
index 0000000000..a486046711
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md
new file mode 100644
index 0000000000..e95e652f45
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md
@@ -0,0 +1 @@
+By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md
new file mode 100644
index 0000000000..f027fdb17e
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
new file mode 100644
index 0000000000..1c08dd6aad
--- /dev/null
+++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software. Also by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md
new file mode 100644
index 0000000000..9286227f0e
--- /dev/null
+++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md
@@ -0,0 +1 @@
+By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md
new file mode 100644
index 0000000000..5e485a0200
--- /dev/null
+++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md
@@ -0,0 +1 @@
+By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md
new file mode 100644
index 0000000000..1e9ac07094
--- /dev/null
+++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
new file mode 100644
index 0000000000..71de365bde
--- /dev/null
+++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
new file mode 100644
index 0000000000..132291b931
--- /dev/null
+++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
@@ -0,0 +1 @@
+This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md
new file mode 100644
index 0000000000..b13677be33
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md
@@ -0,0 +1 @@
+By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
new file mode 100644
index 0000000000..135bd4f574
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s).
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
new file mode 100644
index 0000000000..56a2ecdd15
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md
new file mode 100644
index 0000000000..0d4351e0cb
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md
@@ -0,0 +1 @@
+Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md
new file mode 100644
index 0000000000..195318866f
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md
@@ -0,0 +1 @@
+By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md
new file mode 100644
index 0000000000..4be519322f
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md
new file mode 100644
index 0000000000..f587cc839c
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md
@@ -0,0 +1 @@
+By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md
new file mode 100644
index 0000000000..e428d938ed
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md
new file mode 100644
index 0000000000..1211a69dfa
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md
@@ -0,0 +1 @@
+By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
new file mode 100644
index 0000000000..defb76bdf5
--- /dev/null
+++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md
new file mode 100644
index 0000000000..7f02b200c8
--- /dev/null
+++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md
@@ -0,0 +1 @@
+By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md
new file mode 100644
index 0000000000..c5684bc753
--- /dev/null
+++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md
new file mode 100644
index 0000000000..296965ba86
--- /dev/null
+++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md
@@ -0,0 +1 @@
+By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md
new file mode 100644
index 0000000000..839e07428b
--- /dev/null
+++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md
new file mode 100644
index 0000000000..80b7cf8040
--- /dev/null
+++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md
@@ -0,0 +1 @@
+By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md
new file mode 100644
index 0000000000..35ae30c337
--- /dev/null
+++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md
new file mode 100644
index 0000000000..2c796253ef
--- /dev/null
+++ b/browsers/edge/shortdesc/shortdesc-test.md
@@ -0,0 +1 @@
+UI settings for the home button are disabled preventing your users from making changes
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
new file mode 100644
index 0000000000..7601ad77fc
--- /dev/null
+++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
@@ -0,0 +1 @@
+Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md
new file mode 100644
index 0000000000..aff697e8f0
--- /dev/null
+++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md
@@ -0,0 +1 @@
+By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md
new file mode 100644
index 0000000000..72e501af4b
--- /dev/null
+++ b/browsers/enterprise-mode/add-employees-enterprise-mode-portal.md
@@ -0,0 +1,65 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to add employees to the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Add employees to the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
+
+The available roles are:
+
+- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
+
+- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
+
+- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
+
+**To add an employee to the Enterprise Mode Site List Portal**
+1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
+
+ The **Employee management** page appears.
+
+2. Click **Add a new employee**.
+
+ The **Add a new employee** page appears.
+
+3. Fill out the fields for each employee, including:
+
+ - **Email.** Add the employee's email address.
+
+ - **Name.** This box autofills based on the email address.
+
+ - **Role.** Pick a single role for the employee, based on the list above.
+
+ - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
+
+ - **Comments.** Add optional comments about the employee.
+
+ - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+**To export all employees to an Excel spreadsheet**
+1. On the **Employee management** page, click **Export to Excel**.
+
+2. Save the EnterpriseModeUsersList.xlsx file.
+
+ The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
new file mode 100644
index 0000000000..595d31fa6f
--- /dev/null
+++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -0,0 +1,109 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 20aF07c4-051a-451f-9c46-5a052d9Ae27c
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager. You can only add specific URLs, not Internet or Intranet Zones.
+
+If you want to add your websites one at a time, see Add sites to the [Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+You can create and use a custom text file to add multiple sites to your Enterprise Mode site list at the same time.
**Important**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.1 version of the Enterprise Mode schema
+You can create and use a custom XML file with the Enterprise Mode Site List Manager to add multiple sites to your Enterprise Mode site list at the same time. For more info about the v.1 version of the Enterprise Mode schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+Each XML file must include:
+
+- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.
**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5.
+
+- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+### Enterprise Mode v.1 XML schema example
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+```
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY\CURRENT\USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (.
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.1)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.1).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
new file mode 100644
index 0000000000..c8077d0f92
--- /dev/null
+++ b/browsers/enterprise-mode/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -0,0 +1,119 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
+author: eross-msft
+ms.prod: ie11
+ms.assetid: da659ff5-70d5-4852-995e-4df67c4871dd
+title: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 10/24/2017
+---
+
+
+# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the **Bulk add from file** area of the Enterprise Mode Site List Manager (schema v.2). You can only add specific URLs, not Internet or Intranet Zones.
+
+To add your websites one at a time, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
+
+## Create an Enterprise Mode site list (TXT) file
+
+You can create and use a custom text file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
+
+>**Important:**
This text file is only lets you add multiple sites at the same time. You can’t use this file to deploy Enterprise Mode into your company.
+
+You must separate each site using commas or carriage returns. For example:
+
+```
+microsoft.com, bing.com, bing.com/images
+```
+**-OR-**
+
+```
+microsoft.com
+bing.com
+bing.com/images
+```
+
+## Create an Enterprise Mode site list (XML) file using the v.2 version of the Enterprise Mode schema
+
+You can create and use a custom XML file with the Enterprise Mode Site List Manager (schema v.2) to add multiple sites to your Enterprise Mode site list at the same time.
+
+Each XML file must include:
+
+- **site-list version number**. This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.
**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser.
+
+- **<compat-mode> tag.** This tag specifies what compatibility setting are used for specific sites or domains.
+
+- **<open-in> tag.** This tag specifies what browser opens for each sites or domain.
+
+### Enterprise Mode v.2 XML schema example
+
+The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+
+```
+
+
+
+ EnterpriseSitelistManager
+ 10240
+ 20150728.135021
+
+
+
+ IE8Enterprise
+ MSEdge
+
+
+ IE7Enterprise
+ IE11
+
+
+ default
+ IE11
+
+
+```
+In the above example, the following is true:
+
+- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode.
+
+- contoso.com, and all of its domain paths, can use the default compatibility mode for the site.
+
+To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.
**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2).
+
+## Add multiple sites to the Enterprise Mode Site List Manager (schema v.2)
+After you create your .xml or .txt file, you can bulk add the sites to the Enterprise Mode Site List Manager (schema v.2).
+
+ **To add multiple sites**
+
+1. In the Enterprise Mode Site List Manager (schema v.2), click **Bulk add from file**.
+
+2. Go to your site list (either .txt or .xml) to add the included sites to the tool, and then click **Open**.
+Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+4. On the **File** menu, click **Save to XML**, and save your file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
new file mode 100644
index 0000000000..f6061375ab
--- /dev/null
+++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -0,0 +1,63 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 042e44e8-568d-4717-8fd3-69dd198bbf26
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+
+**Applies to:**
+
+- Windows 8.1
+- Windows 7
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
+
+
**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
+
+## Adding a site to your compatibility list
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+
**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)**
+
+1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. Choose **IE7 Enterprise Mode**, **IE8 Enterprise Mode**, or the appropriate document mode for sites that must be rendered using the emulation of a previous version of IE, or pick **Default IE** if the site should use the latest version of IE.
+
+The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. Click **Save** to validate your website and to add it to the site list for your enterprise.
+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
new file mode 100644
index 0000000000..eafa1921a5
--- /dev/null
+++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -0,0 +1,79 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 513e8f3b-fedf-4d57-8d81-1ea4fdf1ac0b
+title: Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2) (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
**Important**
You can only add specific URLs, not Internet or Intranet Zones.
+
+
**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
+
+## Adding a site to your compatibility list
+You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.
+**Note**
If you're using the v.1 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the WEnterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md).
+
+ **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)**
+
+1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**.
+
+2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.
+Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation.
+
+3. Type any comments about the website into the **Notes about URL** box.
+Administrators can only see comments while they’re in this tool.
+
+4. In the **Compat Mode** box, choose one of the following:
+
+ - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode.
+
+ - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode.
+
+ - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode.
+
+ - **Default Mode**. Loads the site using the default compatibility mode for the page.
+
+ The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected.
+
+ Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site.
+
+ - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee.
+
+ - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
+
+ - **None**. Opens in whatever browser the employee chooses.
+
+6. Click **Save** to validate your website and to add it to the site list for your enterprise.
+If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
+
+7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Next steps
+After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/administrative-templates-and-ie11.md b/browsers/enterprise-mode/administrative-templates-and-ie11.md
new file mode 100644
index 0000000000..8f22d23808
--- /dev/null
+++ b/browsers/enterprise-mode/administrative-templates-and-ie11.md
@@ -0,0 +1,79 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Administrative templates and Internet Explorer 11
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 2b390786-f786-41cc-bddc-c55c8a4c5af3
+title: Administrative templates and Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Administrative templates and Internet Explorer 11
+
+Administrative Templates are made up of a hierarchy of policy categories and subcategories that define how your policy settings appear in the Local Group Policy Editor, including:
+
+- What registry locations correspond to each setting.
+
+- What value options or restrictions are associated with each setting.
+
+- The default value for many settings.
+
+- Text explanations about each setting and the supported version of Internet Explorer.
+
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+
+## What are Administrative Templates?
+Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
+
+- **ADMX.** A language-neutral setup file that states the number and type of policy setting, and the location by category, as it shows up in the Local Group Policy Editor.
+
+- **ADML.** A language-specific setup file that provides language-related information to the ADMX file. This file lets the policy setting show up in the right language in the Local Group Policy Editor. You can add new languages by adding new ADML files in the required language.
+
+## How do I store Administrative Templates?
+As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
+
**Important**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see [Scenario 1: Editing the Local GPO Using ADMX Files](https://go.microsoft.com/fwlink/p/?LinkId=276810).
+
+## Administrative Templates-related Group Policy settings
+When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
+
**Note**
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the **PolicyDefinitions** folder on this computer.
+
+IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths:
+
+- Computer Configuration\\Administrative Templates\\Windows Components\\
+
+- User Configuration\\Administrative Templates\\Windows Components\\
+
+
+|Catalog |Description |
+| ------------------------------------------------ | --------------------------------------------|
+|IE |Turns standard IE configuration on and off. |
+|Internet Explorer\Accelerators |Sets up and manages Accelerators. |
+|Internet Explorer\Administrator Approved Controls |Turns ActiveX controls on and off. |
+|Internet Explorer\Application Compatibility |Turns the **Cut**, **Copy**, or **Paste** operations on or off. This setting also requires that `URLACTION_SCRIPT_PASTE` is set to **Prompt**. |
+|Internet Explorer\Browser Menus |Shows or hides the IE menus and menu options.|
+|Internet Explorer\Corporate Settings |Turns off whether you specify the code download path for each computer. |
+|Internet Explorer\Delete Browsing History |Turns the **Delete Browsing History** settings on and off. |
+|Internet Explorer\Internet Control Panel |Turns pages on and off in the **Internet Options** dialog box. Also turns on and off the subcategories that manage settings on the **Content**, **General**, **Security** and **Advanced** pages. |
+|Internet Explorer\Internet Settings |Sets up and manages the **Advanced settings**, **AutoComplete**, **Display Settings**, and **URL Encoding** options. |
+|Internet Explorer\Persistence Behavior |Sets up and manages the file size limits for Internet security zones. |
+|Internet Explorer\Privacy |Turns various privacy-related features on and off. |
+|Internet Explorer\Security Features |Turns various security-related features on and off in the browser, Windows Explorer, and other applications. |
+|Internet Explorer\Toolbars |Turns on and off the ability for users to edit toolbars in the browser. You can also set the default toolbar buttons here. |
+|RSS Feeds |Sets up and manages RSS feeds in the browser. |
+
+
+## Editing Group Policy settings
+Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
+
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+
+## Related topics
+- [Administrative templates (.admx) for Windows 10 download](https://go.microsoft.com/fwlink/p/?LinkId=746579)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+
diff --git a/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md
new file mode 100644
index 0000000000..24078753c7
--- /dev/null
+++ b/browsers/enterprise-mode/approve-change-request-enterprise-mode-portal.md
@@ -0,0 +1,59 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Approve a change request using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
+
+## Approve or reject a change request
+The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
+
+**To approve or reject a change request**
+1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
+
+ The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
+
+2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
+
+3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
+
+ An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
+
+
+## Send a reminder to the Approver(s) group
+If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
+
+- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
+
+ An email is sent to the selected Approver(s).
+
+
+## View rejected change requests
+The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
+
+**To view the rejected change request**
+
+- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
+
+ All rejected change requests appear, with role assignment determining which ones are visible.
+
+
+## Next steps
+After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md
new file mode 100644
index 0000000000..cf0a576c0e
--- /dev/null
+++ b/browsers/enterprise-mode/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -0,0 +1,49 @@
+---
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.prod: ie11
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+ms.sitesec: library
+author: eross-msft
+ms.author: lizross
+ms.date: 08/14/2017
+ms.localizationpriority: low
+---
+
+
+# Check for a new Enterprise Mode site list xml file
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
+
+**How Internet Explorer 11 looks for an updated site list**
+
+1. Internet Explorer starts up and looks for an updated site list in the following places:
+
+ 1. **In the cache container.** IE first checks the cache container to see if it finds your XML site list.
+
+ 2. **In the local cache.** If there’s nothing in the cache container, IE checks your local cache for the site list.
+
+ 3. **On the server.** Based on standard IE caching rules, IE might look for a copy of your site list in the location you put specified in the **SiteList** value of the registry.
+
+2. If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
**Note**
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
new file mode 100644
index 0000000000..ff584c1c9d
--- /dev/null
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -0,0 +1,479 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
+title: Collect data using Enterprise Site Discovery
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Collect data using Enterprise Site Discovery
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7 with Service Pack 1 (SP1)
+
+Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
+
+>**Upgrade Analytics and Windows upgrades**
+>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started).
+
+
+## Before you begin
+Before you start, you need to make sure you have the following:
+
+- Latest cumulative security update (for all supported versions of Internet Explorer):
+
+ 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
+
+ 
+
+ 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
+
+ 
+
+ 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
+
+- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including:
+
+ - Configuration-related PowerShell scripts
+
+ - IETelemetry.mof file
+
+ - Sample System Center 2012 report templates
+
+ You must use System Center 2012 R2 Configuration Manager or later for these samples to work.
+
+Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts.
+
+## What data is collected?
+Data is collected on the configuration characteristics of IE and the sites it browses, as shown here.
+
+|Data point |IE11 |IE10 |IE9 |IE8 |Description |
+|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
+|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
+|Domain | X | X | X | X |Top-level domain of the browsed site. |
+|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
+|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
+|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
+|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
+|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
+|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
+|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
+|Number of visits | X | X | X | X |Number of times a site has been visited. |
+|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
+
+
+>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+### Understanding the returned reason codes
+The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection.
+
+#### DocMode reason
+The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.|
+|4 |Page is using an X-UA-compatible meta tag. |
+|5 |Page is using an X-UA-compatible HTTP header. |
+|6 |Page appears on an active **Compatibility View** list. |
+|7 |Page is using native XML parsing. |
+|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. |
+|9 |Page state is set by the browser mode and the page's DOCTYPE.|
+
+#### Browser state reason
+The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. |
+|2 |Site appears on an active **Compatibility View** list, created in Group Policy. |
+|3 |Site appears on an active **Compatibility View** list, created by the user. |
+|4 |Page is using an X-UA-compatible tag. |
+|5 |Page state is set by the **Developer** toolbar. |
+|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. |
+|7 |Site appears on the Microsoft **Compatibility View (CV)** list. |
+|8 |Site appears on the **Quirks** list, created in Group Policy. |
+|11 |Site is using the default browser. |
+
+#### Zone
+The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
+
+|Code |Description |
+|-----|------------|
+|-1 |Internet Explorer is using an invalid zone. |
+|0 |Internet Explorer is using the Local machine zone. |
+|1 |Internet Explorer is using the Local intranet zone. |
+|2 |Internet Explorer is using the Trusted sites zone. |
+|3 |Internet Explorer is using the Internet zone. |
+|4 |Internet Explorer is using the Restricted sites zone. |
+
+## Where is the data stored and how do I collect it?
+The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend:
+
+- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer.
+
+- **XML file**. Any agent that works with XML can be used.
+
+## WMI Site Discovery suggestions
+We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company.
+
+On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:
250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB
+
+>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
+
+## Getting ready to use Enterprise Site Discovery
+Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges
+You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
+
+>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
+
+**To set up Enterprise Site Discovery**
+
+- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+
+### WMI only: Set up your firewall for WMI data
+If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
+
+**To set up your firewall**
+
+1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
+
+2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
+
+3. Restart your computer to start collecting your WMI data.
+
+## Use PowerShell to finish setting up Enterprise Site Discovery
+You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
+
+>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
+
+- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
+
+- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
+
+**To set up data collection using a domain allow list**
+
+ - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+
+ >**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
+
+**To set up data collection using a zone allow list**
+
+ - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+
+ >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
+
+## Use Group Policy to finish setting up Enterprise Site Discovery
+You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
+
+>**Note**
All of the Group Policy settings can be used individually or as a group.
+
+ **To set up Enterprise Site Discovery using Group Policy**
+
+- Open your Group Policy editor, and go to these new settings:
+
+ |Setting name and location |Description |Options |
+ |---------------------------|-------------|---------|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |
- **On.** Turns on WMI recording.
- **Off.** Turns off WMI recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |- **XML file path.** Including this turns on XML recording.
- **Blank.** Turns off XML recording.
|
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone
**Example 1:** Include only the Local Intranet zone
Binary representation: *00010*, based on:
0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone
**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones
Binary representation: *10110*, based on:
1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone |
+ |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
+
+### Combining WMI and XML Group Policy settings
+You can use both the WMI and XML settings individually or together:
+
+**To turn off Enterprise Site Discovery**
+
+
+ | Setting name |
+ Option |
+
+
+ | Turn on Site Discovery WMI output |
+ Off |
+
+
+ | Turn on Site Discovery XML output |
+ Blank |
+
+
+
+**Turn on WMI recording only**
+
+
+ | Setting name |
+ Option |
+
+
+ | Turn on Site Discovery WMI output |
+ On |
+
+
+ | Turn on Site Discovery XML output |
+ Blank |
+
+
+
+**To turn on XML recording only**
+
+
+ | Setting name |
+ Option |
+
+
+ | Turn on Site Discovery WMI output |
+ Off |
+
+
+ | Turn on Site Discovery XML output |
+ XML file path |
+
+
+
+**To turn on both WMI and XML recording**
+
+
+ | Setting name |
+ Option |
+
+
+ | Turn on Site Discovery WMI output |
+ On |
+
+
+ | Turn on Site Discovery XML output |
+ XML file path |
+
+
+
+## Use Configuration Manager to collect your data
+After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR-
+- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### Collect your hardware inventory using the MOF Editor while connected to a client device
+You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+ 
+
+2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
+
+3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
+
+ 
+
+4. Select the check boxes next to the following classes, and then click **OK**:
+
+ - IESystemInfo
+
+ - IEURLInfo
+
+ - IECountInfo
+
+5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the MOF Editor with a .MOF import file
+You can collect your hardware inventory using the MOF Editor and a .MOF import file.
+
+ **To collect your inventory**
+
+1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
+
+2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**.
+
+3. Pick the inventory items to install, and then click **Import**.
+
+4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+
+**To collect your inventory**
+
+1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory.
+
+2. Add this text to the end of the file:
+
+ ```
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IESystemInfo"),
+ SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IESystemInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String SystemKey;
+ [SMS_Report (TRUE) ]
+ String IEVer;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IEURLInfo"),
+ SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IEURLInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String URL;
+ [SMS_Report (TRUE) ]
+ String Domain;
+ [SMS_Report (TRUE) ]
+ UInt32 DocMode;
+ [SMS_Report (TRUE) ]
+ UInt32 DocModeReason;
+ [SMS_Report (TRUE) ]
+ UInt32 Zone;
+ [SMS_Report (TRUE) ]
+ UInt32 BrowserStateReason;
+ [SMS_Report (TRUE) ]
+ String ActiveXGUID[];
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NumberOfVisits;
+ [SMS_Report (TRUE) ]
+ UInt32 MostRecentNavigationFailure;
+ };
+
+ [SMS_Report (TRUE),
+ SMS_Group_Name ("IECountInfo"),
+ SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"),
+ Namespace ("root\\\\cimv2\\\\IETelemetry") ]
+ Class IECountInfo: SMS_Class_Template
+ {
+ [SMS_Report (TRUE), Key ]
+ String CountKey;
+ [SMS_Report (TRUE) ]
+ UInt32 CrashCount;
+ [SMS_Report (TRUE) ]
+ UInt32 HangCount;
+ [SMS_Report (TRUE) ]
+ UInt32 NavigationFailureCount;
+ };
+ ```
+
+3. Save the file and close it to the same location.
+ Your environment is now ready to collect your hardware inventory and review the sample reports.
+
+## View the sample reports with your collected data
+The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
+
+### SCCM Report Sample – ActiveX.rdl
+Gives you a list of all of the ActiveX-related sites visited by the client computer.
+
+
+
+### SCCM Report Sample – Site Discovery.rdl
+Gives you a list of all of the sites visited by the client computer.
+
+
+
+## View the collected XML data
+After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
+
+``` xml
+
+
+ [dword]
+ [dword]
+ [dword]
+
+
+ [string]
+
+ [guid]
+
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [dword]
+ [string]
+ [dword]
+
+ …
+ …
+
+```
+You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list.
+
+**To add your XML data to your Enterprise Mode site list**
+
+1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
+
+ 
+
+2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+3. Click **OK** to close the **Bulk add sites to the list** menu.
+
+## Turn off data collection on your client devices
+After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
+
+**To stop collecting data, using PowerShell**
+
+- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1 –IEFeatureOff`.
+
+ >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer.
+
+
+**To stop collecting data, using Group Policy**
+
+1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**.
+
+2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location.
+
+### Delete already stored data from client computers
+You can completely remove the data stored on your employee’s computers.
+
+**To delete all existing data**
+
+- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands:
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo`
+
+ - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo`
+
+ - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'`
+
+## Related topics
+* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
+* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
+
+
+
+
diff --git a/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md
new file mode 100644
index 0000000000..36066de055
--- /dev/null
+++ b/browsers/enterprise-mode/configure-settings-enterprise-mode-portal.md
@@ -0,0 +1,94 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
+author: eross-msft
+ms.prod: ie11
+title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes.
+
+## Use the Environment settings area
+This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications.
+
+**To add location info**
+1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
+
+ The **Settings** page appears.
+
+2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**.
+
+3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**.
+
+## Use the Group and role settings area
+After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group.
+
+**To add a new group and determine the required change request Approvers**
+1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
+
+ The **Settings** page appears.
+
+2. In the **Group and role settings** area of the page, click **Group details**.
+
+ The **Add or edit group names** box appears.
+
+3. Click the **Add group** tab, and then add the following info:
+
+ - **New group name.** Type name of your new group.
+
+ - **Group head email.** Type the email address for the primary contact for the group.
+
+ - **Group head name.** This box automatically fills, based on the email address.
+
+ - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box.
+
+4. Click **Save**.
+
+
+**To set a group's required Approvers**
+1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box.
+
+2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles.
+
+ - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role.
+
+ You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
+
+ - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role.
+
+ You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
+
+ - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role.
+
+## Use the Freeze production changes area
+This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date.
+
+**To add the start and end dates**
+1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
+
+ The **Settings** page appears.
+
+2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time.
+
+3. Click **Save**.
+
+## Related topics
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
+
+- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
\ No newline at end of file
diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
new file mode 100644
index 0000000000..18b8b34406
--- /dev/null
+++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
@@ -0,0 +1,70 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to create a change request within the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Create a change request using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
+
+>[!Important]
+>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+
+**To create a new change request**
+1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
+
+ The **Create new request** page appears.
+
+2. Fill out the required fields, based on the group and the app, including:
+
+ - **Group name.** Select the name of your group from the dropdown box.
+
+ - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
+
+ - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
+
+ - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list.
+
+ - **Requested by.** Automatically filled in with your name.
+
+ - **Description.** Add descriptive info about the app.
+
+ - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**.
+
+ - **Reason for request.** Select the best reason for why you want to update, delete, or add the app.
+
+ - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change.
+
+ - **App location (URL).** The full URL location to the app, starting with http:// or https://.
+
+ - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
+
+ - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx).
+
+4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
+
+ A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
+
+5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
+
+ - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
+
+ - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
+
+## Next steps
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..13fd5539cd
--- /dev/null
+++ b/browsers/enterprise-mode/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,46 @@
+---
+ms.localizationpriority: low
+description: Delete a single site from your global Enterprise Mode site list.
+ms.pagetype: appcompat
+ms.mktglfcycl: deploy
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 41413459-b57f-48da-aedb-4cbec1e2981a
+title: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+
+ **To delete a single site from your global Enterprise Mode site list**
+
+- From the Enterprise Mode Site List Manager, pick the site you want to delete, and then click **Delete**.
+The site is permanently removed from your list.
+
+If you delete a site by mistake, you’ll need to manually add it back using the instructions in the following topics, based on operating system.
+
+- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+
+- [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..c6e03cadc0
--- /dev/null
+++ b/browsers/enterprise-mode/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,50 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 76aa9a85-6190-4c3a-bc25-0f914de228ea
+title: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
+
+If you need to edit a lot of websites, you probably don’t want to do it one at a time. Instead, you can edit your saved XML or TXT file and add the sites back again. For information about how to do this, depending on your operating system and schema version, see [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md).
+
+ **To change how your page renders**
+
+1. In the Enterprise Mode Site List Manager, double-click the site you want to change.
+
+2. Change the comment or the compatibility mode option.
+
+3. Click **Save** to validate your changes and to add the updated information to your site list.
+If your change passes validation, it’s added to the global site list. If the update doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the update or ignore the validation problem and add it to your list anyway. For more information about fixing validation issues, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
+
+4. On the **File** menu, click **Save to XML**, and save the updated file.
+You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
new file mode 100644
index 0000000000..20155271eb
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
@@ -0,0 +1,50 @@
+## Enterprise Mode and the Enterprise Mode Site List XML file
+The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
+
+Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
+
+### Site list xml file
+
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+
+```xml
+
+
+
+ EnterpriseSiteListManager
+ 10586
+ 20150728.135021
+
+
+
+ IE8Enterprise
+ IE11
+
+
+ default
+ IE11
+
+
+ IE7Enterprise
+ IE11
+
+
+
+
+ IE8Enterprise"
+ IE11
+
+
+ IE7
+ IE11
+
+
+ IE7
+ IE11
+
+
+
+```
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md
new file mode 100644
index 0000000000..8090fc9ba8
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-features-include.md
@@ -0,0 +1,16 @@
+### Enterprise Mode features
+Enterprise Mode includes the following features:
+
+- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
+
+- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
+Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
+
+- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
+
+ >[!Important]
+ >All centrally-made decisions override any locally-made choices.
+
+- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
+
+- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md
new file mode 100644
index 0000000000..b7d9399d77
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-overview-for-ie11.md
@@ -0,0 +1,51 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
+title: Enterprise Mode for Internet Explorer 11 (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Enterprise Mode for Internet Explorer 11
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
+
+## In this section
+|Topic |Description |
+|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
+|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. |
+|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. |
+|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. |
+|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
+|[Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
+|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. |
+|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.|
+|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
+|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
+|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. |
+|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. |
+|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. |
+|[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. |
+|[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. |
+
+
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
new file mode 100644
index 0000000000..88711fd787
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
@@ -0,0 +1,233 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 17c61547-82e3-48f2-908d-137a71938823
+title: Enterprise Mode schema v.1 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Enterprise Mode schema v.1 guidance
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+Use the Enterprise Mode Site List Manager (schema v.1) to create and update your Enterprise Mode site list for devices running the v.1 version of the schema, or the Enterprise Mode Site List Manager (schema v.2) to create and update your Enterprise Mode site list for devices running the v.2 version of the schema. We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+
+If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+
+## Enterprise Mode schema v.1 example
+The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1.
+
+**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com.
+
+``` xml
+
+
+ www.cpandl.com
+ www.woodgrovebank.com
+ adatum.com
+ contoso.com
+ relecloud.com
+ /about
+
+ fabrikam.com
+ /products
+
+
+
+ contoso.com
+ /travel
+
+ fabrikam.com
+ /products
+
+
+
+```
+
+### Schema elements
+This table includes the elements used by the Enterprise Mode schema.
+
+
+
+
+
+
+
+| <rules> |
+Root node for the schema.
+ Example
+
+<rules version="205">
+ <emie>
+ <domain>contoso.com</domain>
+ </emie>
+</rules> |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <emie> |
+The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
+ Example
+
+<rules version="205">
+ <emie>
+ <domain>contoso.com</domain>
+ </emie>
+</rules>
+-or-
+For IPv6 ranges: <rules version="205">
+ <emie>
+ <domain>[10.122.34.99]:8080</domain>
+ </emie>
+ </rules>
+-or-
+For IPv4 ranges: <rules version="205">
+ <emie>
+ <domain>10.122.34.99:8080</domain>
+ </emie>
+ </rules> |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <docMode> |
+The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
+ Example
+
+<rules version="205">
+ <docMode>
+ <domain docMode="7">contoso.com</domain>
+ </docMode>
+</rules> |
+Internet Explorer 11 |
+
+
+| <domain> |
+A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
+ Example
+
+<emie>
+ <domain>contoso.com:8080</domain>
+</emie> |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <path> |
+A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
+ Example
+
+<emie>
+ <domain exclude="false">fabrikam.com
+ <path exclude="true">/products</path>
+ </domain>
+</emie>
+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+
+### Schema attributes
+This table includes the attributes used by the Enterprise Mode schema.
+
+
+
+
+
+
+
+| <version> |
+Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <exclude> |
+Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
+ Example
+
+<emie>
+ <domain exclude="false">fabrikam.com
+ <path exclude="true">/products</path>
+ </domain>
+</emie>
+Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <docMode> |
+Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
+ Example
+
+<docMode>
+ <domain exclude="false">fakrikam.com
+ <path docMode="7">/products</path>
+ </domain>
+</docMode> |
+Internet Explorer 11 |
+
+
+
+### Using Enterprise Mode and document mode together
+If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain.
+
+For example, say you want all of the sites in the contoso.com domain to open using IE8 Enterprise Mode, except test.contoso.com, which needs to open in document mode 11. Because Enterprise Mode takes precedence over document mode, if you want test.contoso.com to open using document mode, you'll need to explicitly add it as an exclusion to the <emie> parent node.
+
+```xml
+
+
+ contoso.com
+ test.contoso.com
+
+
+ test.contoso.com
+
+
+```
+
+### What not to include in your schema
+We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
+- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing.
+- Don’t use wildcards.
+- Don’t use query strings, ampersands break parsing.
+
+## How to use trailing slashes
+You can use trailing slashes at the path-level, but not at the domain-level:
+- **Domain-level.** Don’t add trailing slashes to a domain, it breaks parsing.
+- **Path-level.** Adding a trailing slash to a path means that the path ends at that point. By not adding a trailing slash, the rule applies to all of the sub-paths.
+
+**Example**
+
+``` xml
+contoso.com
+ /about/
+
+```
+In this example, `contoso.com/about/careers` will use the default version of Internet Explorer, even though `contoso.com/about/` uses Enterprise Mode.
+
+
+## How to target specific sites
+If you want to target specific sites in your organization.
+
+|Targeted site |Example |Explanation |
+|--------------|--------|------------|
+|You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |- contoso.com uses document mode 5.
- info.contoso.com uses document mode 9.
- test.contoso.com also uses document mode 5.
|
+|You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|- bing.com uses IE8 Enterprise Mode.
- contoso.com uses IE7 Enterprise Mode.
|
+|You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |- contoso.com will use the default version of IE.
- contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
|
+|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |- contoso.com will use the default version of IE.
- contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
|
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
new file mode 100644
index 0000000000..df6a01cb68
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
@@ -0,0 +1,298 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 909ca359-5654-4df9-b9fb-921232fc05f5
+title: Enterprise Mode schema v.2 guidance (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 12/04/2017
+---
+
+
+# Enterprise Mode schema v.2 guidance
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+
+Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app.
+
+**Important**
+If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+## Enterprise Mode schema v.2 updates
+Because of the schema changes, you can't combine the old version (v.1) with the new version (v.2) of the schema. If you look at your XML file, you can tell which version you're using by:
+
+- <rules>. If your schema root node includes this key, you're using the v.1 version of the schema.
+
+- <site-list>. If your schema root node includes this key, you're using the v.2 version of the schema.
+
+You can continue to use the v.1 version of the schema on Windows 10, but you won't have the benefits of the new v.2 version schema updates and new features. Additionally, saving the v.1 version of the schema in the new Enterprise Mode Site List Manager (schema v.2) automatically updates the file to use the v.2 version of the schema.
+
+### Enterprise Mode v.2 schema example
+The following is an example of the v.2 version of the Enterprise Mode schema.
+
+**Important**
+Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com.
+
+``` xml
+
+
+
+ EnterpriseSitelistManager
+ 10240
+ 20150728.135021
+
+
+
+ IE8Enterprise
+ MSEdge
+
+
+ default
+ IE11
+
+
+ IE7Enterprise
+ IE11
+
+
+ default
+ IE11
+
+
+ default
+ none
+
+ IE8Enterprise"
+
+
+ IE7
+ IE11
+
+
+ IE8Enterprise
+ IE11
+
+
+ IE7
+ IE11
+
+
+```
+
+### Updated schema elements
+This table includes the elements used by the v.2 version of the Enterprise Mode schema.
+
+
+
+
+
+
+
+| <site-list> |
+A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
+ Example
+
+<site-list version="205">
+ <site url="contoso.com">
+ <compat-mode>IE8Enterprise</compat-mode>
+ <open-in>IE11</open-in>
+ </site>
+</site-list> |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <site> |
+A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
+ Example
+
+<site url="contoso.com">
+ <compat-mode>default</compat-mode>
+ <open-in>none</open-in>
+</site>
+-or-
+For IPv4 ranges: <site url="10.122.34.99:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+-or-
+ For IPv6 ranges: <site url="[10.122.34.99]:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+You can also use the self-closing version, <url="contoso.com" />, which also sets:
+
+ - <compat-mode>default</compat-mode>
+ - <open-in>none</open-in>
+ |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| <compat-mode> |
+A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
+ Example
+
+<site url="contoso.com">
+ <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-or-
+For IPv4 ranges: <site url="10.122.34.99:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+-or-
+ For IPv6 ranges: <site url="[10.122.34.99]:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+<site>
+Where:
+ |
+Internet Explorer 11 |
+
+
+| <open-in> |
+A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
+ Example
+
+<site url="contoso.com">
+ <open-in>none</open-in>
+</site>
+Where:
+
+ - IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
+ - MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
+ - None or not specified. Opens in whatever browser the employee chooses.
+ |
+Internet Explorer 11 and Microsoft Edge |
+
+
+
+### Updated schema attributes
+The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
+
+
+
+
+
+
+
+| allow-redirect |
+A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
+ Example
+
+<site url="contoso.com/travel">
+ <open-in allow-redirect="true">IE11</open-in>
+</site>
+In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| version |
+Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+| url |
+Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
+
Note
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com.
+Example
+
+<site url="contoso.com:8080">
+ <compat-mode>IE8Enterprise</compat-mode>
+ <open-in>IE11</open-in>
+</site>
+In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. |
+Internet Explorer 11 and Microsoft Edge |
+
+
+
+### Deprecated attributes
+These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
+
+
+
+
+
+
+
+| <forceCompatView> |
+<compat-mode> |
+Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode> |
+
+
+| <docMode> |
+<compat-mode> |
+Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode> |
+
+
+| <doNotTransition> |
+<open-in> |
+Replace <doNotTransition="true"> with <open-in>none</open-in> |
+
+
+| <domain> and <path> |
+<site> |
+Replace:
+
+<emie>
+ <domain exclude="false">contoso.com</domain>
+</emie>
+With:
+
+<site url="contoso.com"/>
+ <compat-mode>IE8Enterprise</compat-mode>
+</site>
+-AND-
+Replace:
+
+<emie>
+ <domain exclude="true">contoso.com
+ <path exclude="false" forceCompatView="true">/about</path>
+ </domain>
+</emie>
+With:
+
+<site url="contoso.com/about">
+ <compat-mode>IE7Enterprise</compat-mode>
+</site> |
+
+
+
+While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
+
+**Important**
+Saving your v.1 version of the file using the new Enterprise Mode Site List Manager (schema v.2) automatically updates the XML to the new v.2 version of the schema.
+
+### What not to include in your schema
+We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways:
+
+- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing.
+- Don’t use wildcards.
+- Don’t use query strings, ampersands break parsing.
+
+## Related topics
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md
new file mode 100644
index 0000000000..f1c67006ba
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-portal-tools-include.md
@@ -0,0 +1,36 @@
+## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools
+You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier.
+
+### Enterprise Mode Site List Manager
+This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
+
+There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
+
+- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
+
+ We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+
+- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
+
+ If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+
+If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
+
+### Enterprise Mode Site List Portal
+The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.
+
+In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:
+
+- Manage site lists from any device supporting Windows 7 or greater.
+
+- Submit change requests.
+
+- Operate offline through an on-premise solution.
+
+- Provide role-based governance.
+
+- Test configuration settings before releasing to a live environment.
+
+Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
+
+Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md
new file mode 100644
index 0000000000..4ead83795d
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md
@@ -0,0 +1,7 @@
+## Enterprise Mode Site List Manager versions
+There are currently two versions of the Enterprise Site List Manager, both based on your schema and operating system. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) tool, based on your operating system.
+
+|Schema version |Operating system |Enterprise Site List Manager version |
+|-----------------|---------------|------------------------------------|
+|Enterprise Mode schema, version 2 (v.2) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.2) and the v.2 version of the schema. If you import a v.1 version schema into the Enterprise Mode Site List Manager (schema v.2), the XML is saved into the v.2 version of the schema.
For more info about the v.2 version of the schema, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).|
+|Enterprise Mode schema, version 1 (v.1) |Windows 10
-OR-
Windows 8.1
-OR-
Windows 7|Uses the Enterprise Mode Site List Manager (schema v.1) and the v.1 version of the schema.
For more info about the v.1 version of the schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)|
\ No newline at end of file
diff --git a/browsers/enterprise-mode/enterprise-mode.md b/browsers/enterprise-mode/enterprise-mode.md
new file mode 100644
index 0000000000..663a632588
--- /dev/null
+++ b/browsers/enterprise-mode/enterprise-mode.md
@@ -0,0 +1,57 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Use this section to learn about how to turn on Enterprise Mode.
+author: shortpatti
+ms.author: pashort
+ms.prod: edge, ie11
+ms.assetid:
+title: Enterprise Mode for Microsoft Edge
+ms.sitesec: library
+ms.date: ''
+---
+
+# Enterprise Mode for Microsoft Edge
+Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers the confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
+
+## Available dual-browser experiences
+
+
+## Enterprise Mode features
+
+
+
+
+## Enterprise Mode Site List management tools
+...description of what you can do with these tools; also specify if you must use both or if each tool works independently and no dependencies on the other tool... I think these tools are for two different scenarios...
+
+You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple of tools that can make that process even easier.
+
+| | |
+|---------|---------|
+|Enterprise Mode Site List Manager |Use if your site list is relatively small. |
+|Enterprise Mode Site List Portal |Use if your site list is too large to add individual sites, or if you have more than one person managing the sites. |
+
+### Enterprise Mode Site List Manager
+
+
+### Enterprise Mode Site List Portal
+
+
+
+## Enterprise Mode Site List XML file
+[!INCLUDE [enterprise-mode-and-enterprise-site-list-include](enterprise-mode-and-enterprise-site-list-include.md)]
+
+
+## Turn on Enterprise Mode
+
+
+### Add a single site to the site list
+
+
+### Add mulitple sites to the site list
+
+
diff --git a/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..8e779574c1
--- /dev/null
+++ b/browsers/enterprise-mode/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,46 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
+title: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file. This file includes all of your URLs, including your compatibility mode selections and should be stored somewhere safe. If your list gets deleted by mistake you can easily import this file and return everything back to when this file was last saved.
+
+**Important**
+This file is not intended for distribution to your managed devices. Instead, it is only for transferring data and comments from one manager to another. For example, if one administrator leaves and passes the existing data to another administrator. Internet Explorer doesn’t read this file.
+
+ **To export your compatibility list**
+
+1. On the **File** menu of the Enterprise Mode Site List Manager, click **Export**.
+
+2. Export the file to your selected location. For example, `C:\Users\\Documents\sites.emie`.
+
+## Related topics
+
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/images/config-enterprise-site-list.png b/browsers/enterprise-mode/images/config-enterprise-site-list.png
new file mode 100644
index 0000000000..82ffc30895
Binary files /dev/null and b/browsers/enterprise-mode/images/config-enterprise-site-list.png differ
diff --git a/browsers/enterprise-mode/images/enterprise-mode-value-data.png b/browsers/enterprise-mode/images/enterprise-mode-value-data.png
new file mode 100644
index 0000000000..9e9ece9c1a
Binary files /dev/null and b/browsers/enterprise-mode/images/enterprise-mode-value-data.png differ
diff --git a/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..963880eb75
--- /dev/null
+++ b/browsers/enterprise-mode/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,45 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 90f38a6c-e0e2-4c93-9a9e-c425eca99e97
+title: Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Remove all sites from your Enterprise Mode site list using the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can clear all of the sites from your global Enterprise Mode site list.
+
+**Important**
+This is a permanent removal and erases everything. However, if you determine it was a mistake, and you saved an XML copy of your list, you can add the file again by following the steps in the [Add multiple sites to the Enterprise Mode site list using a file and Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md), depending on your operating system.
+
+ **To clear your compatibility list**
+
+1. On the **File** menu of the Enterprise Mode Site List Manager, click **Clear list**.
+
+2. Click **Yes** in the warning message.Your sites are all cleared from your list.
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md
new file mode 100644
index 0000000000..546fe2133e
--- /dev/null
+++ b/browsers/enterprise-mode/remove-sites-from-a-local-compatibililty-view-list.md
@@ -0,0 +1,39 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Instructions about how to remove sites from a local compatibility view list.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
+title: Remove sites from a local compatibility view list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Remove sites from a local compatibility view list
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Remove websites that were added to a local compatibility view list by mistake or because they no longer have compatibility problems.
+
+ **To remove sites from a local compatibility view list**
+
+1. Open Internet Explorer 11, click **Tools**, and then click **Compatibility View Settings**.
+
+2. Pick the site to remove, and then click **Remove**.
+Sites can only be removed one at a time. If one is removed by mistake, it can be added back using this same box and the **Add** section.
+
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md
new file mode 100644
index 0000000000..8b15e9ddd5
--- /dev/null
+++ b/browsers/enterprise-mode/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -0,0 +1,55 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Instructions about how to remove sites from a local Enterprise Mode site list.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: c7d6dd0b-e264-42bb-8c9d-ac2f837018d2
+title: Remove sites from a local Enterprise Mode site list (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Remove sites from a local Enterprise Mode site list
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems.
+
+**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator.
+
+ **To remove single sites from a local Enterprise Mode site list**
+
+1. Open Internet Explorer 11 and go to the site you want to remove.
+
+2. Click **Tools**, and then click **Enterprise Mode**.
+The checkmark disappears from next to Enterprise Mode and the site is removed from the list.
+
+**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again.
+
+ **To remove all sites from a local Enterprise Mode site list**
+
+1. Open IE11, click **Tools**, and then click **Internet options**.
+
+2. Click the **Delete** button from the **Browsing history** area.
+
+3. Click the box next to **Cookies and website data**, and then click **Delete**.
+
+**Note**
This removes all of the sites from a local Enterprise Mode site list.
+
+
+
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..7ec1867c5b
--- /dev/null
+++ b/browsers/enterprise-mode/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,43 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 254a986b-494f-4316-92c1-b089ee8b3e0a
+title: Save your site list to XML in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Save your site list to XML in the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
+
+ **To save your list as XML**
+
+1. On the **File** menu of the Enterprise Mode Site List Manager, click **Save to XML**.
+
+2. Save the file to the location you specified in your Enterprise Mode registry key, set up when you turned on Enterprise Mode for use in your company. For information about the Enterprise Mode registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+The first time a user starts Internet Explorer 11 on a managed device; Internet Explorer will look for a new version of the site list at the specified location. If the browser finds an updated site list, IE downloads the new XML site list and uses it.
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md
new file mode 100644
index 0000000000..f49ad80a75
--- /dev/null
+++ b/browsers/enterprise-mode/schedule-production-change-enterprise-mode-portal.md
@@ -0,0 +1,50 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Schedule approved change requests for production using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time.
+
+**To schedule an immediate change**
+1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
+
+2. The Requester clicks the **Approved** status for the change request.
+
+ The **Schedule changes** page appears.
+
+3. The Requester clicks **Now**, and then clicks **Save**.
+
+ The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes.
+
+
+**To schedule the change for a different day or time**
+1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
+
+2. The Requester clicks the **Approved** status for the change request.
+
+ The **Schedule changes** page appears.
+
+3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**.
+
+ The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes.
+
+
+## Next steps
+After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic.
\ No newline at end of file
diff --git a/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..5292cf3570
--- /dev/null
+++ b/browsers/enterprise-mode/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,41 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Search to see if a specific site already appears in your global Enterprise Mode site list.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: e399aeaf-6c3b-4cad-93c9-813df6ad47f9
+title: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can search to see if a specific site already appears in your global Enterprise Mode site list so you don’t try to add it again.
+
+ **To search your compatibility list**
+
+- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
+The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
new file mode 100644
index 0000000000..bfb9659bd0
--- /dev/null
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
@@ -0,0 +1,157 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Set up and turn on Enterprise Mode logging and data collection in your organization.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 2e98a280-f677-422f-ba2e-f670362afcde
+title: Set up Enterprise Mode logging and data collection (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Set up Enterprise Mode logging and data collection
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
+
+
+
+The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
+
+
+
+Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
+
+## Using ASP to collect your data
+When you turn logging on, you need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu.
+
+ **To set up an endpoint server**
+
+1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
+
+2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
+This lets you create an ASP form that accepts the incoming POST messages.
+
+3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
+
+ 
+
+4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
+
+ 
+
+5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
+Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
+
+6. Apply these changes to your default website and close the IIS Manager.
+
+7. Put your EmIE.asp file into the root of the web server, using this command:
+
+ ```
+ <% @ LANGUAGE=javascript %>
+ <%
+ Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode"));
+ %>
+ ```
+This code logs your POST fields to your IIS log file, where you can review all of the collected data.
+
+
+### IIS log file information
+This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
+
+
+
+
+## Using the GitHub sample to collect your data
+Microsoft has created the [EMIE-Data-Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) that shows how to collect your Enterprise Mode reports. This sample only shows how to collect data, it doesn’t show how to aggregate the data into your Enterprise Mode site list.
+This sample starts with you turning on Enterprise Mode and logging (either through Group Policy, or by manually setting the EnterpriseMode registry key) so that your users can use Enterprise Mode locally. For the steps to do this, go to [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md).
+
+**Note**
If you decide to manually change the registry key, you can change the **Enable** setting to `[deployment url]/api/records/`, which automatically sends your reports to this page.
+
+### Setting up, collecting, and viewing reports
+For logging, you’re going to need a valid URL that points to a server that can be listened to for updates to a user’s registry key. This means you need to set up an endpoint server for the incoming POST messages, which are sent every time the user turns Enterprise Mode on or off from the **Tools** menu. These POST messages go into your database, aggregating the report data by URL, giving you the total number of reports where users turned on Enterprise Mode, the total number of reports where users turned off Enterprise Mode, and the date of the last report.
+
+ **To set up the sample**
+
+1. Set up a server to collect your Enterprise Mode information from your users.
+
+2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project.
+
+3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file.
+
+4. On the **Build** menu, tap or click **Build Solution**.
+The required packages are automatically downloaded and included in the solution.
+
+ **To set up your endpoint server**
+
+1. Right-click on the name, PhoneHomeSample, and click **Publish**.
+
+ 
+
+2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
+
+ **Important**
+ Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
+
+ 
+
+ After you finish the publishing process, you need to test to make sure the app deployed successfully.
+
+ **To test, deploy, and use the app**
+
+1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
+
+ ``` "Enable"="http:///api/records/"
+ ```
+ Where `` points to your deployment URL.
+
+2. After you’re sure your deployment works, you can deploy it to your users using one of the following:
+
+ - Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box.
+
+ - Deploy the registry key in Step 3 using System Center or other management software.
+
+3. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary.
+
+ **To view the report results**
+
+- Go to `http:///List` to see the report results.
+If you’re already on the webpage, you’ll need to refresh the page to see the results.
+
+ 
+
+
+### Troubleshooting publishing errors
+If you have errors while you’re publishing your project, you should try to update your packages.
+
+ **To update your packages**
+
+1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
+
+ 
+
+2. Click **Updates** on the left side of the tool, and click the **Update All** button.
+You may need to do some additional package cleanup to remove older package versions.
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [What is Enterprise Mode?](what-is-enterprise-mode.md)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
new file mode 100644
index 0000000000..0aca62e070
--- /dev/null
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md
@@ -0,0 +1,232 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
+author: eross-msft
+ms.prod: ie11
+title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Set up the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
+
+Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment.
+
+## Step 1 - Copy the deployment folder to the web server
+You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server.
+
+**To download the source code**
+1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server.
+
+2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
+
+ >[!Note]
+ >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
+
+3. Open File Explorer and then open the **EMIEWebPortal/** folder.
+
+4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**.
+
+5. Type _npm i_ into the command prompt, then press **Enter**.
+
+ Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
+
+6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
+
+7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
+
+## Step 2 - Create the Application Pool and website, by using IIS
+Create a new Application Pool and the website, by using the IIS Manager.
+
+**To create a new Application Pool**
+1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**.
+
+ The **Add Application Pool** box appears.
+
+2. In the **Add Application Pool** box, enter the following info:
+
+ - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_.
+
+ - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher.
+
+ - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content.
+
+3. Click **OK**.
+
+4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane.
+
+ The **Advanced Settings** box appears.
+
+5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box.
+
+6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_.
+
+7. Right-click on the directory, click **Properties**, and then click the **Security** tab.
+
+8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer.
+
+9. Add **Everyone** to the list with **Read & execute access**.
+
+**To create the website**
+1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**.
+
+ The **Add Website** box appears.
+
+2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**.
+
+ The **Select Application Pool** box appears.
+
+4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_.
+
+5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_.
+
+6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization.
+
+7. Clear the **Start Website immediately** check box, and then click **OK**.
+
+8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_.
+
+ The **<website_name> Home** pane appears.
+
+9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
+
+ >[!Note]
+ >You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
+
+10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon.
+
+11. Open the **LOBMergedEntities Connection String** to edit:
+
+ - **Data source.** Type the name of your local computer.
+
+ - **Initial catalog.** The name of your database.
+
+ >[!Note]
+ >Step 3 of this topic provides the steps to create your database.
+
+## Step 3 - Create and prep your database
+Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
+
+**To create and prep your database**
+1. Start SQL Server Management Studio.
+
+2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine.
+
+3. Expand the instance, right-click on **Databases**, and then click **New Database**.
+
+4. Type a database name. For example, _EMIEDatabase_.
+
+5. Leave all default values for the database files, and then click **OK**.
+
+6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory.
+
+7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_.
+
+8. Run the query.
+
+## Step 4 - Map your Application Pool to a SQL Server role
+Map your ApplicationPoolIdentity to your database, adding the db_owner role.
+
+**To map your ApplicationPoolIdentity to a SQL Server role**
+1. Start SQL Server Management Studio and connect to your database.
+
+2. Expand the database instance and then open the server-level **Security** folder.
+
+ > [!IMPORTANT]
+ > Make sure you open the **Security** folder at the server level and not for the database.
+
+3. Right-click **Logins**, and then click **New Login**.
+
+ The **Login-New** dialog box appears.
+
+4. Type the following into the **Login name** box, based on your server instance type:
+
+ - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_.
+
+ - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`.
+
+ > [!IMPORTANT]
+ > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID).
+
+5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane.
+
+6. Click **OK**.
+
+## Step 5 - Restart the Application Pool and website
+Using the IIS Manager, you must restart both your Application Pool and your website.
+
+**To restart your Application Pool and website**
+1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane.
+
+2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane.
+
+## Step 6 - Registering as an administrator
+After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal.
+
+**To register as an administrator**
+1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085.
+
+2. Click **Register now**.
+
+3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box.
+
+4. Click **Administrator** from the **Role** box, and then click **Save**.
+
+5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole.
+
+ A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit.
+
+6. Select your name from the available list, and then click **Activate**.
+
+7. Go to the Enterprise Mode Site List Portal Home page and sign in.
+
+## Step 7 - Configure the SMTP server and port for email notification
+After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system.
+
+**To set up your SMTP server and port for emails**
+1. Open Visual Studio, and then open the web.config file from your deployment directory.
+
+2. Update the SMTP server and port info with your info, using this format:
+
+ ```
+
+
+ ```
+3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info.
+
+## Step 8 - Register the scheduler service
+Register the EMIEScheduler tool and service for production site list changes.
+
+**To register the scheduler service**
+
+1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
+
+ >[!Important]
+ >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
+
+2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.
+
+3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._
+
+ You'll be asked for your user name and password for the service.
+
+4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service.
+
+## Related topics
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
+
+- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
\ No newline at end of file
diff --git a/browsers/enterprise-mode/turn-off-enterprise-mode.md b/browsers/enterprise-mode/turn-off-enterprise-mode.md
new file mode 100644
index 0000000000..12a4ee7ffd
--- /dev/null
+++ b/browsers/enterprise-mode/turn-off-enterprise-mode.md
@@ -0,0 +1,77 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
+title: Turn off Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Turn off Enterprise Mode
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+It’s important that you test the sites you’re adding, or considering removing, from your Enterprise Mode site list. To make this testing easier, you can turn off the site list or the entire Enterprise Mode functionality. For example, you might have an intranet site on your list that you’ve upgraded to be compatible with the new web standards . If you test the site while the site list is active, Internet Explorer 11 will automatically switch to Enterprise Mode. By turning off the site list, you can see what the page actually looks like and decide whether to remove it from your site list.
+
+In addition, if you no longer want your users to be able to turn Enterprise Mode on locally, you can remove Enterprise Mode from the local **Tools** menu.
+
+**Important**
+Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
+
+ **To turn off the site list using Group Policy**
+
+1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
+
+2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
+Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
+
+ **To turn off local control using Group Policy**
+
+1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
+
+2. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**.
+
+3. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
+
+ **To turn off the site list using the registry**
+
+1. Open a registry editor, such as regedit.exe.
+
+2. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.
+You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers.
+
+3. Close all and restart all instances of Internet Explorer.
+IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
+
+ **To turn off local control using the registry**
+
+1. Open a registry editor, such as regedit.exe.
+
+2. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.
+You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers.
+
+3. Close and restart all instances of IE.
+Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on).
+
+## Related topics
+- [What is Enterprise Mode?](what-is-enterprise-mode.md)
+- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
+- [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
new file mode 100644
index 0000000000..e4e3d83ec8
--- /dev/null
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -0,0 +1,47 @@
+Before you can use a site list with Enterprise Mode, you must turn the functionality on and set up the system for centralized control. By allowing
+centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
+
+>[!NOTE]
+>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+
+**Group Policy**
+
+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.
Turning this setting on also requires you to create and store a site list.
+
+
+
+2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
+
+3. Refresh your policy and then view the affected sites in Microsoft Edge.
The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
+
+**Registry**
+
+All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list.
+
+1. **To turn on Enterprise Mode for all users on the PC:** Open the registry editor and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`.
+
+2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.
For example:
+
+
+ - **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
+
+ - **Local network:** `"SiteList"="\\network\shares\sites.xml"`
+
+ - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"`
+
+ > **Example:**
+ >> _Web URL_ http://localhost:8080/EnterpriseMode.xml
+ >>
+ >> _Network Share_ \\NetworkShare.xml (Place this inside the group policy folder on Sysvol)
+ >>
+ >> _Drive Letter_ C:.xml
+
+ All of your managed devices must have access to this location if you want them to use Enterprise Mode and your site list.
+
+3. Refresh the policy in your organization and then view the affected sites in
+ Microsoft Edge.The site shows a message in Microsoft Edge, saying that the page needs IE.
+ At the same time, the page opens in IE11; in a new frame if it is not yet
+ running, or in a new tab if it is.
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
new file mode 100644
index 0000000000..0f5ff8d1f9
--- /dev/null
+++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -0,0 +1,61 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Turn on local user control and logging for Enterprise Mode.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 6622ecce-24b1-497e-894a-e1fd5a8a66d1
+title: Turn on local control and logging for Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Turn on local control and logging for Enterprise Mode
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools.
+
+Besides turning on this feature, you also have the option to provide a URL for Enterprise Mode logging. If you turn logging on, Internet Explorer initiates a simple POST back to the supplied address, including the URL and a specification that **EnterpriseMode** was turned on or off through the **Tools** menu.
+
+ **To turn on local control of Enterprise Mode using Group Policy**
+
+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
+
+ 
+
+2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
+
+ **To turn on local control of Enterprise Mode using the registry**
+
+1. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
+
+2. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**.
+
+3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
+
+ 
+
+Your **Value data** location can be any of the following types:
+
+- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
**Important**
+The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
+- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
+- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
+
+For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
+
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-portal.md b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md
new file mode 100644
index 0000000000..d57c5f411b
--- /dev/null
+++ b/browsers/enterprise-mode/use-the-enterprise-mode-portal.md
@@ -0,0 +1,80 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
+ms.prod: ie11
+title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Use the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
+
+You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users.
+
+## Minimum system requirements for portal and test machines
+Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
+
+|Item |Description |
+|-----|------------|
+|Operating system |Windows 7 or later |
+|Memory |16 GB RAM |
+|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security |
+|Active Directory (AD) |Devices must be domain-joined |
+|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later |
+|Visual Studio |Visual Studio 2015 or later |
+|Node.js® package manager |npm Developer version or higher |
+|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later |
+
+## Role assignments and available actions
+Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table.
+
+|Role assignment |Available actions |
+|----------------|------------------|
+|Requester |
- Create a change request
- Validate changes in the pre-production environment
- Rollback pre-production and production changes in case of failure
- Send approval requests
- View own requests
- Sign off and close own requests
|
+|Approver
(includes the App Manager and Group Head roles) |- All of the Requester actions, plus:
- Approve requests
|
+|Administrator |- All of the Requester and Approver actions, plus:
- Add employees to the portal
- Assign employee roles
- Approve registrations to the portal
- Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)
- Use the standalone Enterprise Mode Site List Manager page
- View reports
|
+
+## Enterprise Mode Site List Portal workflow by employee role
+The following workflow describes how to use the Enterprise Mode Site List Portal.
+
+1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
+
+2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
+
+3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
+
+4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
+
+5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
+
+
+## Related topics
+- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
+
+- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
+
+- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
+
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md
new file mode 100644
index 0000000000..fbe6ddff8f
--- /dev/null
+++ b/browsers/enterprise-mode/use-the-enterprise-mode-site-list-manager.md
@@ -0,0 +1,61 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
+title: Use the Enterprise Mode Site List Manager (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 12/04/2017
+---
+
+
+# Use the Enterprise Mode Site List Manager
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+[!INCLUDE [enterprise-mode-site-list-mgr-versions-include](../../enterprise-mode/enterprise-mode-site-list-mgr-versions-include.md)]
+
+## Using the Enterprise Mode Site List Manager
+The following topics give you more information about the things that you can do with the Enterprise Mode Site List Manager.
+
+|Topic |Description |
+|------|------------|
+|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.2). |
+|[Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) |How to add websites to your site list using the Enterprise Mode Site List Manager (schema v.1). |
+|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the Enterprise Mode Site List Manager (schema v.2). |
+|[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) |How to add several websites to your site list at the same time, using a text or XML file and the WEnterprise Mode Site List Manager (schema v.1). |
+|[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) |How to edit the compatibility mode for specific websites.This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) |How to fix common site list validation errors.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to look to see if a site is already in your global Enterprise Mode site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Save your site list to XML in the Enterprise Mode Site List Manager](save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) |How to save a site list as XML, so you can deploy and use it with your managed systems.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) |How to export your site list so you can transfer your data and contents to someone else.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](import-into-the-enterprise-mode-site-list-manager.md) |How to import your site list to replace a corrupted or out-of-date list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete a website from your site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+|[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) |How to delete all of the websites in a site list.
This topic applies to both versions of the Enterprise Mode Site List Manager. |
+
+## Related topics
+
+
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md)
+- [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/using-enterprise-mode.md b/browsers/enterprise-mode/using-enterprise-mode.md
new file mode 100644
index 0000000000..313a07e8e8
--- /dev/null
+++ b/browsers/enterprise-mode/using-enterprise-mode.md
@@ -0,0 +1,57 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: security
+description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
+author: eross-msft
+ms.prod: ie11
+ms.assetid: 238ead3d-8920-429a-ac23-02f089c4384a
+title: Using IE7 Enterprise Mode or IE8 Enterprise Mode (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+
+# Using IE7 Enterprise Mode or IE8 Enterprise Mode
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Enterprise Mode gives you a way for your legacy websites and apps to run using emulated versions of Windows Internet Explorer 7 or Windows Internet Explorer 8, while your new sites and apps run using Internet Explorer 11, including modern standards and features.
+
+Although it’s called IE7 Enterprise Mode, it actually turns on Enterprise Mode along with Internet Explorer 7 or Microsoft Internet Explorer 5 Compatibility View. Compatibility View chooses which document mode to use based on whether there’s a `DOCTYPE` tag in your code:
+
+- **DOCTYPE tag found.** Webpages render using the Internet Explorer 7 document mode.
+- **No DOCTYPE tag found.** Webpages render using the Internet Explorer 5 document mode.
+
+**Important**
+Because we’ve added the IE7 Enterprise Mode option, we’ve had to rename the original functionality of Enterprise Mode to be IE8 Enterprise Mode. We’ve also replaced Edge Mode with IE11 Document Mode, so you can explicitly use IE11 on Windows 10.
+
+## Turning on and using IE7 Enterprise Mode or IE8 Enterprise Mode
+For instructions about how to add IE7 Enterprise Mode or IE8 Enterprise Mode to your webpages and apps, see:
+
+- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
+
+- [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
+
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
+
+- [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
+
+For instructions and more info about how to fix your compatibility issues using Enterprise Mode, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md).
+
+## Related topics
+- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
+- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
+- [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
+
+
+
+
+
+
diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
new file mode 100644
index 0000000000..94de88ee4e
--- /dev/null
+++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
@@ -0,0 +1,67 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Verify your changes using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+>[!Important]
+>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+
+The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
+
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+
+- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
+
+- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
+
+## Verify and send the change request to Approvers
+The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
+
+**To verify changes and send to the Approver(s)**
+1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
+
+2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
+
+ The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
+
+
+**To rollback your pre-production changes**
+1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
+
+2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
+
+ The change request and issue info are sent to the Administrators.
+
+3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
+
+ After the Requester rolls back the changes, the request can be updated and re-submitted.
+
+
+## View rolled back change requests
+The original Requester and the Administrator(s) group can view the rolled back change requests.
+
+**To view the rolled back change request**
+
+- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
+
+ All rolled back change requests appear, with role assignment determining which ones are visible.
+
+## Next steps
+If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.
diff --git a/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md
new file mode 100644
index 0000000000..00fb099e3f
--- /dev/null
+++ b/browsers/enterprise-mode/verify-changes-production-enterprise-mode-portal.md
@@ -0,0 +1,42 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+## Verify and sign off on the update in the production environment
+The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
+
+**To verify the changes and sign off**
+- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
+
+ The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
+
+
+**To rollback production changes**
+1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
+
+2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
+
+ The info is sent to the Administrators.
+
+3. The Requester clicks **Roll back** to roll back the changes in the production environment.
+
+ After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.
+
diff --git a/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md
new file mode 100644
index 0000000000..29d1d8afe9
--- /dev/null
+++ b/browsers/enterprise-mode/view-apps-enterprise-mode-site-list.md
@@ -0,0 +1,38 @@
+---
+ms.localizationpriority: low
+ms.mktglfcycl: deploy
+ms.pagetype: appcompat
+description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
+author: eross-msft
+ms.prod: ie11
+title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
+ms.sitesec: library
+ms.date: 07/27/2017
+---
+
+# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
+
+**Applies to:**
+
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
+
+Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
+
+**To view the active Enterprise Mode Site List**
+1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
+
+ The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
+
+2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
+
+
+**To export the active Enterprise Mode Site List**
+1. On the **Production sites list** page, click **Export**.
+
+2. Save the ProductionSiteList.xlsx file.
+
+ The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.
diff --git a/browsers/enterprise-mode/what-is-enterprise-mode-include.md b/browsers/enterprise-mode/what-is-enterprise-mode-include.md
new file mode 100644
index 0000000000..34359d6f1b
--- /dev/null
+++ b/browsers/enterprise-mode/what-is-enterprise-mode-include.md
@@ -0,0 +1,4 @@
+## What is Enterprise Mode?
+Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
+
+Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
\ No newline at end of file
diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md
new file mode 100644
index 0000000000..175646f824
--- /dev/null
+++ b/browsers/includes/available-duel-browser-experiences-include.md
@@ -0,0 +1,12 @@
+## Available dual-browser experiences
+Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
+
+- Use Microsoft Edge as your primary browser.
+
+- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies.
+
+- Use Microsoft Edge as your primary browser and open all intranet sites in IE11.
+
+- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies.
+
+For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog.
\ No newline at end of file
diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md
new file mode 100644
index 0000000000..2b2516dfe2
--- /dev/null
+++ b/browsers/includes/configuration-options.md
@@ -0,0 +1,11 @@
+## Configuration options
+You can make changes to your deployment through the software management system you have chosen.
+
+### Choosing an update channel
+
+### Configure policies using Group Policy Editor
+
+### Configure policies using Registry Editor
+
+### Configure policies using Intune
+
diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md
new file mode 100644
index 0000000000..e32eda17a8
--- /dev/null
+++ b/browsers/includes/control-browser-content.md
@@ -0,0 +1,18 @@
+## Controlling browser content
+This section explains how to control content in the browser.
+
+### Configure Pop-up Blocker
+[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md)
+
+### Allow exentions
+[allow-extensions-include](../edge/includes/allow-extensions-include.md)
+
+[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md)
+
+[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md)
+
+extensions
+javascript
+Tracking your browser:
+- Do not track
+
diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md
new file mode 100644
index 0000000000..067eba3f7d
--- /dev/null
+++ b/browsers/includes/control-browsing-behavior.md
@@ -0,0 +1,90 @@
+
+# Control browsing behavior
+This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security.
+
+
+
+## Security settings
+
+## Cookies
+
+[configure-cookies-include](../edge/includes/configure-cookies-include.md)
+
+## Search engine settings
+...shortdesc of search engines...how admins can control the default search engine...
+
+### Allow address bar suggestions
+[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md)
+
+[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md)
+
+[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md)
+
+[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md)
+
+[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md)
+
+
+
+
+## Extensions
+Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store.
+
+
+
+[Allow Extensions](../edge/available-policies.md#allow-extensions)
+
+[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md)
+
+[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md)
+
+## Home button settings
+The Home page...
+
+
+### Scenarios
+You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup.
+
+### Configuration combinations
+
+| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** |
+|---------------------------------|-------------------------|------------------------|---------------------------------|
+| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. |
+| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. |
+| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. |
+| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. |
+| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. |
+| Enabled (3) | N/A | N/A | Hides home button. |
+---
+
+[configure-home-button-include](configure-home-button-include.md)
+
+[set-home-button-url-include](set-home-button-url-include.md)
+
+[unlock-home-button-include](unlock-home-button-include.md)
+
+## Start page settings
+
+[configure-start-pages-include](configure-start-pages-include.md)
+
+[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md)
+
+
+
+## New Tab page settings
+
+[set-new-tab-url-include](set-new-tab-url-include.md)
+
+[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md)
+
+
+## Exit tasks
+
+[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md)
+
+
+## Kiosk mode
+
+[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md)
+
+[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md)
diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md
new file mode 100644
index 0000000000..5bada8092e
--- /dev/null
+++ b/browsers/includes/customize-look-and-feel.md
@@ -0,0 +1,2 @@
+## Customize the look and feel
+
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
new file mode 100644
index 0000000000..21a3238bd5
--- /dev/null
+++ b/browsers/includes/helpful-topics-include.md
@@ -0,0 +1,28 @@
+
+## Helpful information and additional resources
+- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
+
+- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie)
+
+- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501)
+
+- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974)
+
+- [Use the Enterprise Mode Site List Manager](../enterprise-mode/use-the-enterprise-mode-site-list-manager.md)
+
+- [Collect data using Enterprise Site Discovery](../enterprise-mode/collect-data-using-enterprise-site-discovery.md)
+
+- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
+
+- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+
+- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
+
+
+
+
+
+- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
+- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
+- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
+- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
new file mode 100644
index 0000000000..2e8b76896b
--- /dev/null
+++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
@@ -0,0 +1,12 @@
+If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
+
+>[!IMPORTANT]
+>Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
+
+1. In the Enterprise Mode Site List Manager, click **File \> Import**.
+
+2. Go to the exported .EMIE file.
For example, `C:\users\\documents\sites.emie`
+
+1. Click **Open**.
+
+2. Review the alert message about all of your entries being overwritten and click **Yes**.
diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md
new file mode 100644
index 0000000000..5937eb6bef
--- /dev/null
+++ b/browsers/includes/interoperability-goals-enterprise-guidance.md
@@ -0,0 +1,28 @@
+## Interoperability goals and enterprise guidance
+
+Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser.
+
+You must continue using IE11 if web apps use any of the following:
+
+* ActiveX controls
+
+* x-ua-compatible headers
+
+* <meta> tags
+
+* Enterprise mode or compatibility view to address compatibility issues
+
+* legacy document modes [what is this?]
+
+If you have uninstalled IE11, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11.
+
+>[!TIP]
+>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
+
+
+|Technology |Why it existed |Why we don't need it anymore |
+|---------|---------|---------|
+|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | |
+|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | |
+|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge will have a single “living” document mode. In order to minimize the compatibility burden, features will be tested behind switches in about:flags until they are stable and ready to be turned on by default. |
+
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index 81c91723b7..ef1cd24725 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -18,6 +18,9 @@ The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/det
To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
+>[!IMPORTANT]
+>Do not let the device go to sleep or interrupt the download of the image file.
+
If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support).
## Prerequisites
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index ca73e87080..5cfd544fe5 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -4,6 +4,9 @@
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Set up Windows devices for education](set-up-windows-10.md)
### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
+#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md)
+#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md)
+#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md)
### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
diff --git a/education/windows/images/suspc-add-recommended-apps-1807.png b/education/windows/images/suspc-add-recommended-apps-1807.png
new file mode 100644
index 0000000000..e579c8f99d
Binary files /dev/null and b/education/windows/images/suspc-add-recommended-apps-1807.png differ
diff --git a/education/windows/images/suspc-admin-token-delete-1807.png b/education/windows/images/suspc-admin-token-delete-1807.png
new file mode 100644
index 0000000000..0656dbb899
Binary files /dev/null and b/education/windows/images/suspc-admin-token-delete-1807.png differ
diff --git a/education/windows/images/suspc-assessment-url-1807.png b/education/windows/images/suspc-assessment-url-1807.png
new file mode 100644
index 0000000000..c799e26271
Binary files /dev/null and b/education/windows/images/suspc-assessment-url-1807.png differ
diff --git a/education/windows/images/suspc-configure-student-settings-1807.png b/education/windows/images/suspc-configure-student-settings-1807.png
new file mode 100644
index 0000000000..92d6ae184a
Binary files /dev/null and b/education/windows/images/suspc-configure-student-settings-1807.png differ
diff --git a/education/windows/images/suspc-device-names-1807.png b/education/windows/images/suspc-device-names-1807.png
new file mode 100644
index 0000000000..886ff13413
Binary files /dev/null and b/education/windows/images/suspc-device-names-1807.png differ
diff --git a/education/windows/images/suspc-enable-shared-pc-1807.png b/education/windows/images/suspc-enable-shared-pc-1807.png
new file mode 100644
index 0000000000..52fb68f830
Binary files /dev/null and b/education/windows/images/suspc-enable-shared-pc-1807.png differ
diff --git a/education/windows/images/suspc-select-wifi-1807.png b/education/windows/images/suspc-select-wifi-1807.png
new file mode 100644
index 0000000000..c8b94d6aad
Binary files /dev/null and b/education/windows/images/suspc-select-wifi-1807.png differ
diff --git a/education/windows/images/suspc-select-wifi-network-1807.png b/education/windows/images/suspc-select-wifi-network-1807.png
new file mode 100644
index 0000000000..6c7240db39
Binary files /dev/null and b/education/windows/images/suspc-select-wifi-network-1807.png differ
diff --git a/education/windows/images/suspc-sign-in-select-1807.png b/education/windows/images/suspc-sign-in-select-1807.png
new file mode 100644
index 0000000000..abffbec690
Binary files /dev/null and b/education/windows/images/suspc-sign-in-select-1807.png differ
diff --git a/education/windows/images/suspc-take-a-test-app-1807.png b/education/windows/images/suspc-take-a-test-app-1807.png
new file mode 100644
index 0000000000..9d6c503f3c
Binary files /dev/null and b/education/windows/images/suspc-take-a-test-app-1807.png differ
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
new file mode 100644
index 0000000000..16b59b9799
--- /dev/null
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -0,0 +1,95 @@
+---
+title: Azure AD Join with Setup School PCs app
+description: Describes how Azure AD Join is configured in the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/13/2018
+---
+
+# Azure AD Join for school PCs
+
+> [!NOTE]
+> Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
+> Designer](set-up-students-pcs-to-join-domain.md) to
+> join your PCs to your school's domain.
+
+Set up School PCs lets you create a provisioning package that automates Azure AD
+Join on your devices. This feature eliminates the need to manually:
+
+- Connect to your school’s network.
+
+- Join your organization's domain.
+
+## Automated connection to school domain
+
+During initial device setup, Azure AD Join automatically connects your PCs to your school's Azure AD domain. You can skip all of the Windows setup experience that is typically a part of the out-of-the-box-experience (OOBE). Devices that are managed by a mobile device manager, such as Intune, are automatically enrolled with the provider upon initial device startup.
+
+Students who sign in to their PCs with their Azure AD credentials get access to on-premises apps and the following cloud apps:
+* Office 365
+* OneDrive
+* OneNote.
+
+## Enable Azure AD Join
+
+Learn how to enable Azure AD Join for your school. After you configure this setting, you'll be able to request an automated Azure AD bulk token, which you need to create a provisioning package.
+
+1. Sign in to the Azure portal with your organization's credentials.
+2. Go to **Azure
+Active Directory** \> **Devices** \> **Device settings**.
+3. Enable the setting
+for Azure AD by selecting **All** or **Selected**. If you choose the latter
+option, select the teachers and IT staff to allow them to connect to Azure AD.
+
+
+
+You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
+
+## All Device Settings
+
+The following table describes each setting within **Device Settings**.
+
+| Setting | Description |
+|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |
+| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. |
+| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. |
+| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. |
+| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added. |
+| Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow. |
+
+## Clear Azure AD tokens
+
+Your Intune tenant can only have 500 active Azure AD tokens, or packages, at a time. You'll receive a notification in the Intune portal when you reach 500 active tokens.
+
+To reduce your inventory, clear out all unnecessary and inactive tokens.
+1. Go to **Azure Active Directory** \> **Users** \> **All users**
+2. In the **User Name** column, select and delete all accounts with a **package\ _**
+prefix. These accounts are created at a 1:1 ratio for every token and are safe
+to delete.
+3. Select and delete inactive and expired user accounts.
+
+### How do I know if my package expired?
+Automated Azure AD tokens expire after 30 days. The expiration date for each token is appended to the end of the saved provisioning package, on the USB drive. After this date, you must create a new package. Be careful that you don't delete active accounts.
+
+
+
+## Next steps
+Learn more about setting up devices with the Set up School PCs app.
+* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md)
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
new file mode 100644
index 0000000000..16b671865d
--- /dev/null
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -0,0 +1,122 @@
+---
+title: What's in Set up School PCs provisioning package
+description: Lists the provisioning package settings that are configured in the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/13/2018
+---
+
+# What's in my provisioning package?
+The Set up School PCs app builds a specialized provisioning package with school-optimized settings.
+
+A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article.
+
+## Shared PC Mode policies
+This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies:
+* Disk level deletion
+* Inactive threshold
+* Restrict local storage
+
+In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting.
+
+For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode).
+
+|Policy name|Default value|Description|
+|---------|---------|---------|
+|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.|
+|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education). |
+|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. |
+|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. |
+|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. |
+|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts. |
+|Enable account manager | True | Enables automatic account management. |
+|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted.
+|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. |
+|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. |
+|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive. |
+|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. |
+|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.|
+|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. |
+|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. |
+|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. |
+
+## MDM and local group policies
+This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app.
+
+For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.
+
+
+|Policy name |Default value |Description |
+|---------|---------|---------|
+|Authority|User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD.
+|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
+|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.|
+|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.|
+|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates|
+|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.|
+|Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.|
+|Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates.|
+|Update power policy for cart restarts | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |
+|Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.|
+|Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device |
+|Allow developer unlock | Disabled | Students cannot unlock the PC and use it in developer mode |
+|Allow Cortana | Disabled | Cortana is not allowed on the device.
+|Allow manual MDM unenrollment | Disabled | Students cannot remove the mobile device manager from their device. |
+|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.|
+|Allow add provisioning package | Disabled | Students cannot add and upload new provisioning packages to their device. |
+|Allow remove provisioning package | Disabled | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app |
+|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.|
+|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.|
+|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app |Makes the Downloads shortcut on the Start menu visible to students.|
+|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app |Makes the File Explorer shortcut on the Start menu visible to students.|
+|Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device.
+|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image.
+|Update|Active hours end | 5 PM | There will be no update reboots before this time. |
+|Update|Active hours start | 7 AM | There will be no update reboots after this time. |
+|Updates Windows | Nightly | Sets Windows to update on a nightly basis. |
+
+## Apps uninstalled from Windows 10 devices
+Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. The following table lists all apps uninstalled from Windows 10 devices.
+
+
+|App name |Application User Model ID |
+|---------|---------|
+|3D Builder | Microsoft.3DBuilder_8wekyb3d8bbwe |
+|Bing Weather | Microsoft.BingWeather_8wekyb3d8bbwe |
+|Desktop App Installer|Microsoft.DesktopAppInstaller_8wekyb3d8bbwe|
+|Get Started | Microsoft.Getstarted_8wekyb3d8bbw |
+|Messaging|Microsoft.Messaging_8wekyb3d8bbwe
+|Microsoft Office Hub| Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe |
+|Microsoft Solitaire Collection | Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe |
+|One Connect|Microsoft.OneConnect_8wekyb3d8bbwe|
+|Paid Wi-Fi & Cellular | Microsoft.OneConnect_8wekyb3d8bbwe |
+|Feedback Hub | Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe |
+|Xbox | Microsoft.XboxApp_8wekyb3d8bbwe |
+|Mail/Calendar | microsoft.windowscommunicationsapps_8wekyb3d8bbwe|
+
+## Apps installed on Windows 10 devices
+Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include:
+* OneDrive
+* OneNote
+* Sway
+
+## Next steps
+Learn more about setting up devices with the Set up School PCs app.
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md)
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+
diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md
new file mode 100644
index 0000000000..acebeccc44
--- /dev/null
+++ b/education/windows/set-up-school-pcs-shared-pc-mode.md
@@ -0,0 +1,80 @@
+---
+title: Shared PC mode for school devices
+description: Describes how shared PC mode is set for devices set up with the Set up School PCs app.
+keywords: shared cart, shared PC, school, set up school pcs
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: medium
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/13/2018
+---
+
+# Shared PC mode for school devices
+
+Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries. A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours.
+
+Shared PC mode can be applied on devices running:
+* Windows 10 Pro
+* Windows 10 Pro Education
+* Windows 10 Education
+* Windows 10 Enterprise
+
+To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc).
+
+## Windows Updates
+Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to:
+* Wake nightly.
+* Check for and install updates.
+* Forcibly reboot, when necessary, to complete updates.
+
+These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students.
+
+## Default admin accounts in Azure Active Directory
+By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer.
+
+An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal.
+
+## Account deletion policies
+This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts.
+
+### Azure AD accounts
+
+The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts.
+
+### Guest and Kiosk accounts
+Guest accounts and accounts created through Kiosk are deleted after they sign out of their account.
+
+### Local accounts
+Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone**
+
+## Create custom Windows images
+Shared PC mode is compatible with custom Windows images.
+
+To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`.
+
+Teachers can then run the Set up School PCs package on the computer.
+
+## Optimize device for use by a single student
+Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared.
+
+If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
+1. In the app, go to the **Create package** > **Settings** step.
+2. Select **Optimize device for a single student, instead of a shared cart or lab**.
+
+## Next steps
+Learn more about setting up devices with the Set up School PCs app.
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
+* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md)
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
+
+
+
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index e53e78ec35..b23242412b 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -1,6 +1,6 @@
---
-title: Set up School PCs app technical reference
-description: Describes the changes that the Set up School PCs app makes to a PC.
+title: Set up School PCs app technical reference overview
+description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
keywords: shared cart, shared PC, school, set up school pcs
ms.prod: w10
ms.technology: Windows
@@ -8,302 +8,74 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
ms.localizationpriority: medium
-author: CelesteDG
-ms.author: celested
-ms.date: 04/04/2018
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/11/2018
---
-# Technical reference for the Set up School PCs app
+What is Set up School PCs?
+=================================================
+
**Applies to:**
-- Windows 10
+- Windows 10
+
+The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The
+app, which is available for Windows 10 version 1703 and later, configures and saves
+school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
+
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity.
+
+
+## Join PC to Azure Active Directory
+If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up
+School PCs app creates a setup file that joins your PC to your Azure Active
+Directory tenant.
+
+The app also helps set up PCs for use with or without Internet connectivity.
+
+## List of Set up School PCs features
+The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription.
+
+| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------|
+| **Fast sign-in** | X | X | X | X |
+| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | |
+| **Custom Start experience** | X | X | X | X |
+| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | |
+| **Guest account, no sign-in required** | X | X | X | X |
+| Set up computers for use by anyone with or without an account. | | | | |
+| **School policies** | X | X | X | X |
+| Settings create a relevant, useful learning environment and optimal computer performance. | | | | |
+| **Azure AD Join** | | X | X | X |
+| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | |
+| **Single sign-on to Office 365** | | | X | X |
+| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | |
+| **Take a Test app** | | | | X |
+| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | |
+| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X |
+| Synchronize student and application data across devices for a personalized experience. | | | | |
+
+> [!NOTE]
+> If your school uses Active Directory, use [Windows Configuration
+> Designer](set-up-students-pcs-to-join-domain.md)
+> to configure your PCs to join the domain. You can only use the Set up School
+> PCs app to set up PCs that are connected to Azure AD.
-The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode. The latest Set up School PCs app is available for Windows 10, version 1703 (Creators Update). Set up School PCs also configures school-specific settings and policies, described in this topic.
+## Next steps
+Learn more about setting up devices with the Set up School PCs app.
+* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md)
+* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md)
+* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md)
+* [Set up Windows 10 devices for education](set-up-windows-10.md)
+
+When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
+
+
-If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up School PCs app will create a setup file that joins the PC to your Azure Active Directory tenant. You can also use the app to set up school PCs that anyone can use, with or without Internet connectivity.
-
-Here's a list of what you get when using the Set up School PCs app in your school.
-
-| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium |
-| --- | :---: | :---: | :---: | :---: |
-| **Fast sign-in**
Each student can sign in and start using the computer in less than a minute, even on their first sign-in. | X | X | X | X |
-| **Custom Start experience**
The apps students need are pinned to Start, and unnecessary apps are removed. | X | X | X | X |
-| **Guest account, no sign-in required**
This option sets up computers for common use. Anyone can use the computer without an account. | X | X | X | X |
-| **School policies**
Settings specific to education create a useful learning environment and the best computer performance. | X | X | X | X |
-| **Azure AD Join**
The computers are joined to your Azure AD or Office 365 subscription for centralized management. | | X | X | X |
-| **Single sign-on to Office 365**
By signing on with student IDs, students have fast access to Office 365 web apps or installed Office apps. | | | X | X |
-| **Take a Test**
Configure the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. | | | | X |
-| **[Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) via Azure AD**
Student user and application settings data can be synchronized across devices for a personalized experience. | | | | X |
-
-
-> [!NOTE]
-> If your school uses Active Directory, use [Windows Configuration Designer](set-up-students-pcs-to-join-domain.md) to configure your PCs to join the domain. You can only use the Set up School PCs app to set up PCs that are connected to Azure AD.
-
-## Automated Azure AD join
-One of the most important features in Set up School PCs is the ability to create a provisioning package that performs automated Azure AD join. With this feature, you no longer have to spend minutes going through Windows setup, manually connecting to a network, and manually joining your Azure AD domain. With the automated Azure AD join feature in Set up School PCs, this process is reduced to zero clicks! You can skip all of the Windows setup experience and the OS automatically joins the PC to your Azure AD domain and enrolls it into MDM if you have a MDM provider activated.
-
-To make this as seamless as possible, in your Azure AD tenant:
-- Allow your teacher and other IT staff to join devices to Azure AD so they can sucessfully request an automated Azure AD join token.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and in **Users may join devices to Azure AD**, click **Selected** and choose the members you want to enable to join devices to Azure AD.
-
- **Figure 1** - Select the users you want to enable to join devices to Azure AD
-
- 
-
-- Consider creating a special account that uses a username and password that you provide, and which has the rights to join devices if you don't want to add all teachers and IT staff.
- - When teachers or IT staff need to set up PCs, they can use this account in the Set up School PCs app.
- - If you use a service to set up PCs for you, you can give them this special account so they can deliver PCs to you that are already Azure AD joined and ready to be given to a student.
-
-- Turn off multifactor authentication.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Require Multi-Factor Auth to join devices** to **No**.
-
- **Figure 2** - Turn off multi-factor authentication in Azure AD
-
- 
-
-- Set the maximum number of devices a user can add to unlimited.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > Device Settings** and set **Maximum number of devices per user** to **Unlimited**.
-
- **Figure 3** - Set maximum number of devices per user to unlimited
-
- 
-
-- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
-
- In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.
-
- **Figure 4** - Delete the accounts automatically created for the Azure AD tokens
-
- 
-
-- Note that automated Azure AD tokens have expiration dates. Set up School PCs creates them with an expiration date of one month. You will see the specific expiration date for the package in the **Review package summary** page in Set up School PCs.
-
- **Figure 5** - Sample summary page showing the expiration date
-
- 
-
-
-
-
-
-## Information about Windows Update
-
-Shared PC mode helps ensure that computers are always up-to-date. If a PC is configured using the Set up School PCs app, shared PC mode sets the power states and Windows Update to:
-* Wake nightly
-* Check and install updates
-* Forcibly reboot if necessary to finish applying updates
-
-The PC is also configured to not interrupt the user during normal daytime hours with updates or reboots. Notfications are also blocked.
-
-## Guidance for accounts on shared PCs
-
-* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
-* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** or **Kiosk** will also be deleted automatically at sign out.
-* On a Windows PC joined to Azure Active Directory:
- * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
- * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
-* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts created through **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** or **Kiosk** selection on the sign-in screen, if enabled, will automatically be deleted at sign-out.
-* If admin accounts are necessary on the PC
- * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
- * Create admin accounts before setting up shared PC mode, or
- * Create exempt accounts before signing out.
-* The account management service supports accounts that are exempt from deletion.
- * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
- * To add the account SID to the registry key using PowerShell:
-
- ```
- $adminName = "LocalAdmin"
- $adminPass = 'Pa$$word123'
- iex "net user /add $adminName $adminPass"
- $user = New-Object System.Security.Principal.NTAccount($adminName)
- $sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
- $sid = $sid.Value;
- New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
- ```
-
-## Custom images
-Shared PC mode is fully compatible with custom images that may be created by IT departments. Create a custom image and then use sysprep with the `/oobe` flag to create an image that teachers can then apply the Set up School PCs provisioning package to. [Learn more about sysprep](https://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx).
-
-## Provisioning package details
-
-The Set up School PCs app produces a specialized provisioning package that makes use of the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx).
-
-### Education customizations set by local MDM policy
-
-- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
-- A custom Start layout, taskbar layout, and lock screen image are set.
-- Prohibits unlocking the PC to developer mode.
-- Prohibits untrusted Microsoft Store apps from being installed.
-- Prohibits students from removing MDM.
-- Prohibits students from adding new provisioning packages.
-- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
-- Sets Windows Update to update nightly.
-
-
-### Uninstalled apps
-
-- 3D Builder (Microsoft.3DBuilder_8wekyb3d8bbwe)
-- Weather (Microsoft.BingWeather_8wekyb3d8bbwe)
-- Tips (Microsoft.Getstarted_8wekyb3d8bbwe)
-- Get Office (Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe)
-- Microsoft Solitaire Collection (Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe)
-- Paid Wi-Fi & Cellular (Microsoft.OneConnect_8wekyb3d8bbwe)
-- Feedback Hub (Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe)
-- Xbox (Microsoft.XboxApp_8wekyb3d8bbwe)
-- Mail/Calendar (microsoft.windowscommunicationsapps_8wekyb3d8bbwe)
-
-### Local Group Policies
-
-> [!IMPORTANT]
-> We do not recommend setting additional policies on PCs configured with the Set up School PCs app. The shared PC mode is optimized to be fast and reliable over time with minimal to no manual maintenance required.
-
-
-Policy path |
|---|
-Policy name | Value |
-
|---|
-
-Admin Templates > Control Panel > Personalization |
-
-Prevent enabling lock screen slide show | Enabled |
-
-Prevent changing lock screen and logon image | Enabled |
-
-Admin Templates > System > Power Management > Button Settings |
-
-Select the Power button action (plugged in) | Sleep |
-
-Select the Power button action (on battery) | Sleep |
-
-Select the Sleep button action (plugged in) | Sleep |
-
-Select the lid switch action (plugged in) | Sleep |
-
-Select the lid switch action (on battery) | Sleep |
-
-Admin Templates > System > Power Management > Sleep Settings |
-
-Require a password when a computer wakes (plugged in) | Enabled |
-
-Require a password when a computer wakes (on battery) | Enabled |
-
-Specify the system sleep timeout (plugged in) | 5 minutes |
-
-Specify the system sleep timeout (on battery) | 5 minutes |
-
- | Turn off hybrid sleep (plugged in) | Enabled |
-
- | Turn off hybrid sleep (on battery) | Enabled |
-
- | Specify the unattended sleep timeout (plugged in) | 5 minutes |
-
- | Specify the unattended sleep timeout (on battery) | 5 minutes |
-
- | Allow standby states (S1-S3) when sleeping (plugged in) | Enabled |
-
- | Allow standby states (S1-S3) when sleeping (on battery) | Enabled |
-
- | Specify the system hibernate timeout (plugged in) | Enabled, 0 |
-
- | Specify the system hibernate timeout (on battery) | Enabled, 0 |
-
- | Admin Templates>System>Power Management>Video and Display Settings |
- | Turn off the display (plugged in) | 5 minutes |
-
- | Turn off the display (on battery) | 5 minutes |
-
- | Admin Templates>System>Power Management>Energy Saver Settings |
- | Energy Saver Battery Threshold (on battery) | 70 |
-
- | Admin Templates>System>Logon |
-
- | Show first sign-in animation | Disabled |
-
- | Hide entry points for Fast User Switching | Enabled |
-
- | Turn on convenience PIN sign-in | Disabled |
-
- | Turn off picture password sign-in | Enabled |
-
- | Turn off app notification on the lock screen | Enabled |
-
- | Allow users to select when a password is required when resuming from connected standby | Disabled |
-
- | Block user from showing account details on sign-in | Enabled |
-
- | Admin Templates>System>User Profiles |
-
- | Turn off the advertising ID | Enabled |
-
- | Admin Templates>Windows Components>Biometrics |
-
- | Allow the use of biometrics | Disabled |
-
- | Allow users to log on using biometrics | Disabled |
-
- | Allow domain users to log on using biometrics | Disabled |
-
-| Admin Templates>Windows Components>Cloud Content |
- | Do not show Windows Tips | Enabled |
-
- | Turn off Microsoft consumer experiences | Enabled |
-
- | Admin Templates>Windows Components>Data Collection and Preview Builds |
-
- | Toggle user control over Insider builds | Disabled |
-
- | Disable pre-release features or settings | Disabled |
-
- | Do not show feedback notifications | Enabled |
-
- | Allow Telemetry | Basic, 0 |
-
- | Admin Templates > Windows Components > File Explorer |
-
- | Show lock in the user tile menu | Disabled |
-
- | Admin Templates > Windows Components > Maintenance Scheduler |
-
- | Automatic Maintenance Activation Boundary | *MaintenanceStartTime* |
-
- | Automatic Maintenance Random Delay | Enabled, 2 hours |
-
- | Automatic Maintenance WakeUp Policy | Enabled |
-
- | Admin Templates > Windows Components > OneDrive |
-
- | Prevent the usage of OneDrive for file storage | Enabled |
-
- | Admin Templates > Windows Components > Windows Hello for Business |
-
- | Use phone sign-in | Disabled |
-
- | Use Windows Hello for Business | Disabled |
-
- | Use biometrics | Disabled |
-
- | Windows Settings > Security Settings > Local Policies > Security Options |
-
-Accounts: Block Microsoft accounts **Note** Microsoft accounts can still be used in apps. | Enabled |
- | Interactive logon: Do not display last user name | Enabled |
-
- | Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled |
-
- | User Account Control: Behavior of the elevation prompt for standard users | Auto deny |
-
-
-
-
-## Use the app
-When you're ready to use the app, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
-
-## Related topics
-
-[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 5c865392c2..bdf6a298c9 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -1,315 +1,238 @@
---
title: Use Set up School PCs app
-description: Learn how the Set up School PCs app works and how to use it.
+description: Learn how to use the Set up School PCs app and apply the provisioning package.
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-ms.localizationpriority: medium
-author: CelesteDG
-ms.author: celested
-ms.date: 12/11/2017
+ms.localizationpriority: high
+author: lenewsad
+ms.author: lanewsad
+ms.date: 07/11/2018
---
-# Use the Set up School PCs app
-**Applies to:**
+# Use the Set up School PCs app
-- Windows 10
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+Set up School PCs also:
+* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.
+* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
+* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours.
+* Locks down the student PC to prevent activity that isn't beneficial to their education.
-## What does this app do?
+This article describes how to get started and provide information about your school in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
-- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
-- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
-- Removes OEM preinstalled software from each student PC
-- Auto-configures and saves a wireless network profile on each student PC
-- Gives a friendly and unique name to each student device for future management
-- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
-- Enables optional guest account for younger students, lost passwords, or visitors
-- Enables optional secure testing account
-- Enables optional Autopilot Reset feature to return devices to a fully configured or known IT-approved state
-- Locks down the student PC to prevent mischievous activity:
- * Prevents students from removing the PC from the school's device management system
- * Prevents students from removing the Set up School PCs settings
-- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
-- Customizes the Start layout with Office
-- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
-- Uninstalls apps not specific to education, such as Solitaire
-- Prevents students from adding personal Microsoft accounts to the PC
+## Requirements
+Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
-You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
+* Office 365 and Azure Active Directory
+* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
+* Permission to buy apps in Microsoft Store for Education
+* Set up School PCs app has permission to access the Microsoft Store for Education
+* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
+* Student PCs must either:
+ * Be within range of the Wi-Fi network that you configured in the app.
+ * Have a wired Ethernet connection when you set them up.
-> [!VIDEO https://www.youtube.com/embed/2ZLup_-PhkA]
+### Configure USB drive for additional space
+USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.
+1. Insert the USB drive into your computer.
+2. Go to the **Start** > **This PC**.
+3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
+4. Select **Format** from the list to bring up the **Format drive name** window.
+5. Set **File system** to **NTFS**.
+6. Click **Start** to format the drive.
-You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
+### Prepare existing PC account for new setup
+Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
-## Tips for success
+If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
-* **Run the same Windows 10 build on the admin device and the student PCs**
+To begin, go to the **Settings** app on the appropriate PC.
+1. Click **Update & Security** > **Recovery**.
+2. In the **Reset this PC** section, click **Get started**.
+3. Click **Remove everything**.
- It's critical that the IT administrator's or technical teacher's device is running the same Windows 10 build as the student PCs that you're provisioning.
+You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps:
+1. Click **Troubleshoot** and then choose **Reset this PC**.
+2. Select **Remove everything**.
+3. If the option appears, select **Only the drive where Windows is installed**.
+4. Click **Just remove my files**.
+5. Click **Reset**.
-* **Ensure that the student PCs meet the minimum OS requirements for the version of Set up School PCs**
+## Recommendations
+This section offers recommendations to prepare you for the best possible setup experience.
+### Run the same Windows 10 build on the admin device and the student PCs
+We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
- Check the minimum OS requirements for the Set up School PCs app in the **System Requirements > OS** section of the app's description on the Microsoft Store. For example, the latest version of Set up School PCs requires Windows 10 versions with build 15063.0 or higher. Do not use the app to provision student PCs with Windows 10, version 1607 (build 14393) images.
-
- We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs that you're provisioning.
+### Student PCs should meet OS requirements for the app
+Check the minimum OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.
-* **Run the app at work**
+To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
- For the best results, run the Set up School PCs app on your work device connected to your school's network. That way the app can gather accurate information about your wireless networks and cloud subscriptions.
+### Use app on a PC that is connected to your school's network
+We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
- > [!NOTE]
- > Don't use the **Set up Schools PCs** app for PCs that must connect to enterprise networks or to open Wi-Fi networks that require the user to accept Terms of Use.
+ > [!NOTE]
+ > Don't use the **Set up Schools PCs** app for PCs that must connect to:
+ >* Enterprise networks that require the user to accept Terms of Use.
+ >* Open Wi-Fi networks that require the user to accept Terms of Use.
-* **Network tips**
- * You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password.
- * If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
- - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues.
+### Run app on an open network or network that requires a basic password
+Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up numerous devices over Wi-Fi, make sure that your network configuration can support it.
-* **Apply to new student PCs**
- * The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
-
- > [!WARNING]
- > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
+We recommend that you:
+* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.
+* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.
- * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail.
- * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again.
+>> [!WARNING]
+> Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
- To do this:
- - Go to **Settings > Update & security > Recovery**. In the **Reset this PC** section of the **Recovery** page, click **Get started**.
- - Or, hit **Shift** + click **Restart** in the **Power** menu to load the Windows boot user experience. From there, follow these steps:
- 1. Click **Troubleshoot** and then choose **Reset this PC**.
- 2. Select **Remove everything**.
- 3. Select **No - remove provisioning packages**.
- 4. Select **Only the drive where Windows is installed** (this may not always show up).
- 5. Click **Just remove my files**.
- 6. Click **Reset**.
+### Use an additional USB drive
+You can set up PCs at the same time. Just save the provisioning package to an additional USB drive. Then plug them in at the same time during deployment.
-* **Use an NTFS-formatted USB key**
+### Limit changes to school-optimized settings
- If you're planning to install several apps, the Set up School PCs package may exceed 4 GB. Check if your USB drive format is FAT32. If it is, you won't be able to save more than 4 GB of data on the drive. To work around this, reformat the USB drive to use the NTFS format. To do this:
+We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and sign-in time.
+## Create the provisioning package
- 1. Insert the USB key into your computer.
- 2. Go to the Start menu and type **This PC** and then select the **This PC (Desktop app)** from the search results.
- 3. In the **Devices and drivers** section, find the USB drive, select and then right-click to bring up options.
- 4. Select **Format** from the list to bring up the **Format ** window.
- 5. Set **File system** to **NTFS** and then click **Start** to format the drive.
+The **Set up School PCs** app guides you through the configuration choices for the student PCs.
-* **Use more than one USB key**
+### Sign-in
+1. Open the Set up School PCs app on your PC and click **Get started**.
+
+ 
+2. Select how you want to sign in.
+ a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3.
+ b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network).
+3. In the new window, select the account you want to use throughout setup.
- If you are setting up multiple PCs, you can set them up at the same time. Just save the provisioning package to another USB drive. Create two keys and you can run it on two PCs at once, and so on.
+ 
-* **Keep it clean**
+ To add an account not listed:
+a. Click **Work or school account** > **Continue**.
+ b. Type in the account username and click **Next**.
+ c. You may be asked to verify the user account and password.
- We strongly recommend that IT avoid changes to policies unless absolutely necessary, as any changes can impair performance and sign-in time. Get more information at [Set up School PCs app technical reference](set-up-school-pcs-technical.md).
-
-* **Get more info**
-
- Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-
-## Prerequisites
-
-- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
-
- The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish.
-
-- Install the app on your work PC and make sure you're connected to your school's network.
-- You must have Office 365 and Azure Active Directory.
-- You must have the Microsoft Store for Education configured.
-- You must be a global admin in the Microsoft Store for Education.
-- It's best if you sign up for and [configure Intune for Education](../get-started/use-intune-for-education.md) before using the Set up School PCs app.
-- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office.
-- Check the default file system format for your USB drive. You may need to set this to NTFS to save a provisioning package that's 4 GB or larger.
-
-## Set up School PCs step-by-step
-
-### Create the provisioning package
-
-The **Set up School PCs** app guides you through the configuration choices for the student PCs.
-
-1. Launch the Set up School PCs app.
-
- **Figure 1** - Launch the Set up School PCs app
-
- 
-
-2. Click **Get started**.
-3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
-
- To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
-
- To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later.
-
- If you opt to sign in, follow these steps:
-
- 1. Choose the account from the list. If you don't see the account, select **Work or school account**, click **Continue**, and enter the account details.
- 2. Click **Next** once you've specified the account.
- 3. If you added an account, you may be asked to provide the user account and password. You will get a notification to allow the app to access your account. This will give Set up School PCs permission to access Store for Business, read memberships, sign you in and read your profile, and more.
- 4. Click **Accept**.
-
- The account will show up as the account that Set up School PCs will use to connect the school PCs to the cloud.
-
- **Figure 2** - Verify that the account you selected shows up
+1. Click **Accept** to allow Set up School PCs to access your account throughout setup.
+2. When your account name appears on the page, as shown in the image below, click **Next.**
- 5. Click **Next**.
-
-4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
- 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
- 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
+### Wireless network
+Add and save a wireless network profile to provision on each student PC. Only skip Wi-Fi setup if you have an Ethernet connection.
- If you click **Skip**, you will see the following dialog.
- * If you select **Got it**, you will go to the next page without Wi-Fi set up.
- * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network.
+Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.**
- **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection
+ 
- 
+### Device names
+Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less.
-5. To assign a name to the student PCs, in the **Name these devices** page:
- 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
-
- > [!NOTE]
- > The name must be five (5) characters or less. Set up School PCs automatically appends `_%SERIAL%` to the prefix that you specify. `_%SERIAL%` ensures that all device names are unique.
+To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.
- For example, if you add *Math4* as the prefix, the device names will be *Math4* followed by a random string of letters and numbers.
-
- 2. Click **Next**.
-
-6. To specify other settings for the student PC, in the **Configure student PC settings** page:
- - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
-
- > [!NOTE]
- > If you select this option, the provisioning process will take longer (about 30 minutes).
-
- - Select **Allow local storage (not recommended for shared devices)** to let students save files to the **Desktop** and **Documents** folder on the student PC. We don't recommend this option if the device will be part of a shared cart or lab.
- - Select **Optimize device for a single student, instead of a shared cart or lab** to optimize the device for use by a single student (1:1).
- - Check this option if the device will not be part of a shared cart or lab.
- - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in).
- - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data, or if the student doesn't use the PC over a prolonged period.
-
- - Select **Let guests sign-in to these PCs** to allow guests to use student PCs without a school account. For example, if the device will be in a library and you want other users (like visiting students or teachers) to be able to use the device, you can select this option.
-
- If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
-
- - Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
- - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
-
- **Figure 4** - Configure student PC settings
-
- 
-
- When you're doing configuring the student PC settings, click **Next**.
-
-7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
- 1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
- 2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
- 3. Enter the assessment URL.
-
- You can leave the URL blank so that students can enter one later. This enables teachers to use the Take a Test account for daily quizzes or tests by having students manually enter a URL.
-
- **Figure 5** - Configure the Take a Test app
-
- 
-
- 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
-
-8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
- * **Office 365 for Windows 10 S (Education Preview)**
- * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
- * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
- * **Minecraft: Education Edition** - Free trial
- * Popular **STEM and Makerspace apps**
-
- 1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
- 2. Click **Skip** if you don't want to provision any apps.
-
- **Figure 6** - Select from a set of recommended apps
-
- 
-
- The set of recommended Microsoft Store for Education apps may vary from what we show here.
-
-9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
- 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
-
- **Figure 7** - Review your settings and change them as needed
-
- 
-
- 2. Click **Accept**.
-
-10. In the **Insert a USB drive now** page:
- 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
- 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
- 3. Click **Save** to save the provisioning package to the USB drive.
-
- **Figure 8** - Select the USB drive and save the provisioning package
-
- 
-
-11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
-
- **Figure 9** - Provisioning package is ready
-
- 
-
-12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
-
- **Figure 10** - Line up the student PCs and get them ready for setup
-
- 
-
-13. Click **Next**.
-14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
-
- Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
-
- **Figure 11** - Install the provisioning package on the student PCs
-
- 
+ 
-### Apply the provisioning package to the student PCs
-The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A provisioning package is a method for applying settings to Windows 10 without needing to reimage the device. When Windows 10 refers to *package*, it means your provisioning package, and when it refers to *provisioning*, it means applying the provisioning package to the student PC.
+### Settings
+Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.
-> [!NOTE]
-> The student PC must contain a new or reset image and the PC must not already have been through first-run setup (OOBE).
-**To set up the student PC using the Set up School PCs provisioning package**
+
-1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 Creators Update (version 1703), this first-run setup screen says **Let's start with region. Is this right?**.
+Setting selections vary based on the OS version you select. The following table lists all possible settings, descriptions, and important notes to consider. After you've made your selections, click **Next**.
- If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
+|Setting |What happens if I select it? |Note|
+|---------|---------|---------|
+|Remove apps pre-installed by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
+|Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.|
+|Optimize device for a single student, instead of a shared cart or lab |Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Let guests sign in to these PCs |Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
+|Enable Windows Autopilot Reset | Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Lock screen background|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
- 
-2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package.
+### Take a Test app
+Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.
+1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.
- **Figure 13** - Windows automatically detects the provisioning package and installs it
+ 
+2. Select from the advanced settings. The following table lists available settings and their descriptions.
- 
+|Setting |Description |
+|---------|---------|
+|Allow keyboard auto-suggestions | Allows app to suggest words as the student types on the PC's keyboard. |
+|Allow teachers to monitor online tests | Enables screen capture in the Take a Test app. |
-3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
+3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.
- **Figure 14** - Remove the USB drive when you see the message that the media can be removed
+4. Click **Next**.
- 
+### Add recommended apps
+Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu.
+
+ 
+
+The following table lists the recommended apps you'll see.
+
+|App |Note |
+|---------|---------|
+|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. |
+|Minecraft: Education Edition | Free trial|
+|Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming|
+
+
+### Summary
+1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.
+2. To make changes now, click any page along the left side of the window.
+3. When finished, click **Accept**.
+
+ 
+
+### Insert USB
+1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.
+2. Choose your USB drive from the list and click **Save**.
+
+ 
+
+3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**.
+
+ 
+
+## Run package - Get PCs ready
+Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.
-4. If you set up the package to do Azure AD Join, that's it! You're done, and the PC is now ready for students to use.
+ 
- If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.
+## Run package - Install package on PC
-## Related topics
+The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device.
+
+When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.
+
+> [!IMPORTANT]
+> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
+
+1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?**
+
+ If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows automatically recognizes and installs the package.
+
+ 
+3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.
+
+ 
+
+4. If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. If you did configure the package for Azure AD Join, the computer is ready for use and no further configurations are required.
+
+ If successful, you'll see a setup complete message. The PCs start up on the lock screen with your school's custom background. Upon first use, students and teachers will be able to connect to your school's network and resources.
-[Set up Windows devices for education](set-up-windows-10.md)
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 7b603f1d3f..195791d851 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -335,6 +335,11 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
+
+Microsoft SQL Server 2017 |
+Standard, Enterprise, or Datacenter |
+ |
+64-bit |
Microsoft SQL Server 2016 |
Standard, Enterprise, or Datacenter |
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index d7484344ae..f9d2591ffe 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
-ms.date: 5/31/2018
+ms.date: 6/28/2018
---
# Microsoft Store for Business and Education release history
@@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
+## May 2018
+- **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it.
+
## April 2018
- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index e2988a84c9..ecb95fbfa9 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
-ms.date: 5/31/2018
+ms.date: 6/28/2018
---
# What's new in Microsoft Store for Business and Education
@@ -17,19 +17,15 @@ Microsoft Store for Business and Education regularly releases new and improved f
## Latest updates for Store for Business and Education
-**May 2018**
+**June 2018**
| | |
|--------------------------------------|---------------------------------|
-|  |**Immersive Reader app in Microsoft Store for Education**
Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2).
**Applies to**:
Microsoft Store for Education |
-
-
-
+
+
+
List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after logon. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
+For this policy to work, the Windows apps need to declare in their manifest that they will use the start up task. Example of the declaration here:
+
+``` syntax
+
+
+
+```
+
+> [!Note]
+> This policy only works on modern apps.
+
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
new file mode 100644
index 0000000000..c9fdf5ff82
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -0,0 +1,504 @@
+---
+title: Policy CSP - BITS
+description: Policy CSP - BITS
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MariciaAlforque
+ms.date: 06/29/2018
+---
+
+# Policy CSP - BITS
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate.
+
+- BITS/BandwidthThrottlingEndTime
+- BITS/BandwidthThrottlingStartTime
+- BITS/BandwidthThrottlingTransferRate
+
+If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8am and 5pm respectively). The time policies are based on the 24-hour clock.
+
+
+
+
+## BITS policies
+
+
+ -
+ BITS/BandwidthThrottlingEndTime
+
+ -
+ BITS/BandwidthThrottlingStartTime
+
+ -
+ BITS/BandwidthThrottlingTransferRate
+
+ -
+ BITS/CostedNetworkBehaviorBackgroundPriority
+
+ -
+ BITS/CostedNetworkBehaviorForegroundPriority
+
+ -
+ BITS/JobInactivityTimeout
+
+
+
+
+
+
+
+**BITS/BandwidthThrottlingEndTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  5 |
+ 5 |
+  |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
+
+Value type is integer. Default value is 17 (5 pm).
+
+Supported value range: 0 - 23
+
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
+
+Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
+
+If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+
+Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
+
+
+
+ADMX Info:
+- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
+- GP name: *BITS_MaxBandwidth*
+- GP element: *BITS_BandwidthLimitSchedTo*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**BITS/BandwidthThrottlingStartTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
+
+Value type is integer. Default value is 8 (8 am).
+
+Supported value range: 0 - 23
+
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
+
+Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
+
+If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+
+Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
+
+
+
+ADMX Info:
+- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
+- GP name: *BITS_MaxBandwidth*
+- GP element: *BITS_BandwidthLimitSchedFrom*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**BITS/BandwidthThrottlingTransferRate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers.
+
+Value type is integer. Default value is 1000.
+
+Supported value range: 0 - 4294967200
+
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
+
+Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
+
+If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+
+Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
+
+Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
+
+
+
+ADMX Info:
+- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
+- GP name: *BITS_MaxBandwidth*
+- GP element: *BITS_MaxTransferRateText*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**BITS/CostedNetworkBehaviorBackgroundPriority**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.
+
+If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
+
+For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
+- 1 - Always transfer
+- 2 - Transfer unless roaming
+- 3 - Transfer unless surcharge applies (when not roaming or overcap)
+- 4 - Transfer unless nearing limit (when not roaming or nearing cap)
+- 5 - Transfer only if unconstrained
+
+
+
+ADMX Info:
+- GP English name: *Set default download behavior for BITS jobs on costed networks*
+- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
+- GP element: *BITS_TransferPolicyNormalPriorityValue*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**BITS/CostedNetworkBehaviorForegroundPriority**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers.
+
+If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
+
+For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
+- 1 - Always transfer
+- 2 - Transfer unless roaming
+- 3 - Transfer unless surcharge applies (when not roaming or overcap)
+- 4 - Transfer unless nearing limit (when not roaming or nearing cap)
+- 5 - Transfer only if unconstrained
+
+
+
+ADMX Info:
+- GP English name: *Set default download behavior for BITS jobs on costed networks*
+- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
+- GP element: *BITS_TransferPolicyForegroundPriorityValue*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**BITS/JobInactivityTimeout**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
+
+> [!Note]
+> Any property changes to the job or any successful download action will reset this timeout.
+
+Value type is integer. Default is 90 days.
+
+Supported values range: 0 - 999
+
+Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
+Consider decreasing this value if you are concerned about orphaned jobs occupying disk space.
+
+If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
+
+
+
+ADMX Info:
+- GP English name: *Timeout for inactive BITS jobs*
+- GP name: *BITS_Job_Timeout*
+- GP element: *BITS_Job_Timeout_Time*
+- GP path: *Network/Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+Value type is integer. Default is 90 days.
+
+Supported values range: 0 - 999
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index e4a66aaaa6..1a68801067 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,11 +6,13 @@ ms.prod: w10
ms.technology: windows
author: shortpatti
ms.author: pashort
-ms.date: 06/21/2018
+ms.date: 07/18/2018
---
# Policy CSP - Browser
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -49,6 +51,9 @@ ms.date: 06/21/2018
-
Browser/AllowFlashClickToRun
+ -
+ Browser/AllowFullScreenMode
+
-
Browser/AllowInPrivate
@@ -61,15 +66,33 @@ ms.date: 06/21/2018
-
Browser/AllowPopups
+ -
+ Browser/AllowPrelaunch
+
+ -
+ Browser/AllowPrinting
+
+ -
+ Browser/AllowSavingHistory
+
-
Browser/AllowSearchEngineCustomization
-
Browser/AllowSearchSuggestionsinAddressBar
+ -
+ Browser/AllowSideloadingOfExtensions
+
-
Browser/AllowSmartScreen
+ -
+ Browser/AllowTabPreloading
+
+ -
+ Browser/AllowWebContentOnNewTabPage
+
-
Browser/AlwaysEnableBooksLibrary
@@ -79,6 +102,24 @@ ms.date: 06/21/2018
-
Browser/ConfigureAdditionalSearchEngines
+ -
+ Browser/ConfigureFavoritesBar
+
+ -
+ Browser/ConfigureHomeButton
+
+ -
+ Browser/ConfigureKioskMode
+
+ -
+ Browser/ConfigureKioskResetAfterIdleTimeout
+
+ -
+ Browser/ConfigureOpenMicrosoftEdgeWith
+
+ -
+ Browser/ConfigureTelemetryForMicrosoft365Analytics
+
-
Browser/DisableLockdownOfStartPages
@@ -94,6 +135,9 @@ ms.date: 06/21/2018
-
Browser/FirstRunURL
+ -
+ Browser/ForceEnabledExtensions
+
-
Browser/HomePages
@@ -103,6 +147,9 @@ ms.date: 06/21/2018
-
Browser/PreventAccessToAboutFlagsInMicrosoftEdge
+ -
+ Browser/PreventCertErrorOverrides
+
-
Browser/PreventFirstRunPage
@@ -130,12 +177,21 @@ ms.date: 06/21/2018
-
Browser/SetDefaultSearchEngine
+ -
+ Browser/SetHomeButtonURL
+
+ -
+ Browser/SetNewTabPageURL
+
-
Browser/ShowMessageWhenOpeningSitesInInternetExplorer
-
Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+ -
+ Browser/UnlockHomeButton
+
-
Browser/UseSharedFolderForBooks
@@ -370,7 +426,7 @@ The following list shows the supported values:
-By default, Microsoft Edge automatically updates the configuration data for the Books Library. Enabling this policy prevents Microsoft Edge from updating the configuration data.
+By default, Microsoft Edge automatically updates the configuration data for the Books Library. Enabling this policy prevents Microsoft Edge from updating the configuration data.
@@ -578,7 +634,6 @@ The following list shows the supported values:
- 0 (Disabled) - Never sends tracking information.
- 1 (Enabled) - Sends tracking information, including to the third parties whose content may be hosted on the sites visited.
-
To verify AllowDoNotTrack is set to 0 (not allowed):
@@ -770,6 +825,72 @@ The following list shows the supported values:
+
+**Browser/AllowFullScreenMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge.
+
+
+
+ADMX Info:
+- GP English name: *Allow FullScreen Mode*
+- GP name: *AllowFullScreenMode*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+- 0 - Prevented/not allowed
+- 1 (default) - Allowed
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
**Browser/AllowInPrivate**
@@ -1016,7 +1137,7 @@ ADMX Info:
-The following list shows the supported values:
+Allowed values:
- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
@@ -1035,6 +1156,204 @@ To verify AllowPopups is set to 0 (not allowed):
+
+**Browser/AllowPrelaunch**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge pre-launches during Windows startup when the system is idle, and each time Microsoft Edge closes by default. When Microsoft Edge pre-launches, it runs as a background process waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent Microsoft Edge from pre-launching.
+
+
+
+ADMX Info:
+- GP English name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed*
+- GP name: *AllowPrelaunch*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+- 0 - Prevented/not allowed
+- 1 (default) - Allowed
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/AllowPrinting**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge allows users to print web content by default. With this policy though, you can configure Microsoft Edge to prevent users from printing web content.
+
+
+
+ADMX Info:
+- GP English name: *Allow printing*
+- GP name: *AllowPrinting*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+- 0 - Prevented/not allowed
+- 1 (default) - Allowed
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/AllowSavingHistory**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices.
+
+
+
+ADMX Info:
+- GP English name: *Allow Saving History*
+- GP name: *AllowSavingHistory*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+- 0 - Prevented/not allowed
+- 1 (default) - Allowed
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
**Browser/AllowSearchEngineCustomization**
@@ -1159,6 +1478,73 @@ The following list shows the supported values:
+
+**Browser/AllowSideloadingOfExtensions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).
+
+
+
+ADMX Info:
+- GP English name: *Allow Sideloading of extension*
+- GP name: *AllowSideloadingOfExtensions*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable ApplicationManagement/AllowDeveloperUnlock.
+- 1 (default) - Allowed.
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
**Browser/AllowSmartScreen**
@@ -1229,6 +1615,142 @@ To verify AllowSmartScreen is set to 0 (not allowed):
+
+**Browser/AllowTabPreloading**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.
+
+
+
+
+
+ADMX Info:
+- GP English name: *Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed*
+- GP name: *AllowTabPreloading*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 (default) - Allowed. Preload Start and New tab pages.
+- 1 - Prevented/not allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/AllowWebContentOnNewTabPage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page.
+
+If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.
+
+If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it.
+
+If you don't configure this setting, employees can choose how new tabs appears.
+
+
+
+ADMX Info:
+- GP English name: *Allow web content on New Tab page*
+- GP name: *AllowWebContentOnNewTabPage*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**Browser/AlwaysEnableBooksLibrary**
@@ -1428,6 +1950,436 @@ The following list shows the supported values:
+
+**Browser/ConfigureFavoritesBar**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages.
+
+
+
+ADMX Info:
+- GP English name: *Configure Favorites Bar*
+- GP name: *ConfigureFavoritesBar*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- Blank (default) - Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes.
+- 0 - Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu.
+- 1 - Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/ConfigureHomeButton**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the Home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.
+
+
+
+
+ADMX Info:
+- GP English name: *Configure Home Button*
+- GP name: *ConfigureHomeButton*
+- GP element: *ConfigureHomeButtonDropdown*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 (default) - Show the home button and load the Start page.
+- 1 - Show the home button and load the New tab page.
+- 2 - Show the home button and load the custom URL defined in the Set Home Button URL policy.
+- 3 - Hide the home button.
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/ConfigureKioskMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge.
+
+For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw).
+
+
+
+
+
+ADMX Info:
+- GP English name: *Configure kiosk mode*
+- GP name: *ConfigureKioskMode*
+- GP element: *ConfigureKioskMode_TextBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+**0 (Default or not configured)**:
+- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays.
+- If it’s one of many apps, Microsoft Edge runs as normal.
+
+**1**:
+- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.
+- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/ConfigureKioskResetAfterIdleTimeout**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data.
+
+You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+
+
+
+ADMX Info:
+- GP English name: *Configure kiosk reset after idle timeout*
+- GP name: *ConfigureKioskResetAfterIdleTimeout*
+- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
+
+- **0** – No idle timer.
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/ConfigureOpenMicrosoftEdgeWith**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
+
+**Version 1703 or later**:
+If you don't want to send traffic to Microsoft, use the value, which honors both domain and non domain-joined devices when it's the only configured URL.
+
+
+**Version 1810**:
+When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+
+
+
+ADMX Info:
+- GP English name: *Configure Open Microsoft Edge With*
+- GP name: *ConfigureOpenEdgeWith*
+- GP element: *ConfigureOpenEdgeWithListBox*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page.
+- 0 - Loads the Start page.
+- 1 - Load the New tab page.
+- 2 - Load the previous pages.
+- 3 (default) - Load a specific page or pages.
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/ConfigureTelemetryForMicrosoft365Analytics**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
+
+
+
+ADMX Info:
+- GP English name: *Configure collection of browsing data for Microsoft 365 Analytics*
+- GP name: *ConfigureTelemetryForMicrosoft365Analytics*
+- GP element: *ZonesListBox*
+- GP path: *Data Collection and Preview Builds*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 (default) - Microsoft Edge does not collect or send browsing history data.
+- 1 - Send intranet history only.
+- 2 - Send Internet history only.
+- 3 - Send both intranet and Internet history.
+
+Most restricted value: 0
+
+
+
+
+
+
+
+
+
+
+
**Browser/DisableLockdownOfStartPages**
@@ -1717,6 +2669,66 @@ The default value is an empty string. Otherwise, the string should contain the U
+
+**Browser/ForceEnabledExtensions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This setting lets you decide which extensions should be always enabled.
+
+
+
+ADMX Info:
+- GP name: *ForceEnabledExtensions*
+- GP element: *ForceEnabledExtensions_List*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**Browser/HomePages**
@@ -1907,6 +2919,73 @@ The following list shows the supported values:
+
+**Browser/PreventCertErrorOverrides**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.
+
+
+
+ADMX Info:
+- GP English name: *Prevent certificate error overrides*
+- GP name: *PreventCertErrorOverrides*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors.
+- 1 - Prevented/turned on.
+
+Most restricted value: 1
+
+
+
+
+
+
+
+
+
+
+
**Browser/PreventFirstRunPage**
@@ -2186,7 +3265,10 @@ The following list shows the supported values:
-Added in Windows 10, version 1803. This is only a placeholder. Do not use in production code.
+Added in Windows 10, version 1803.
+
+
+
@@ -2397,7 +3479,6 @@ The following list shows the supported values:
- 0 (default) - All websites, including intranet sites, open in Microsoft Edge automatically.
- 1 - Only intranet sites open in Internet Explorer 11 automatically.
-
@@ -2473,6 +3554,141 @@ The following list shows the supported values:
+
+**Browser/SetHomeButtonURL**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button.
+
+
+
+ADMX Info:
+- GP English name: *Set Home Button URL*
+- GP name: *SetHomeButtonURL*
+- GP element: *SetHomeButtonURLPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads.
+- String - A custom URL loads when clicking the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option. Enter a URL in string format, for example, https://www.msn.com.
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Browser/SetNewTabPageURL**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
+
+
+
+ADMX Info:
+- GP English name: *Set New Tab page URL*
+- GP name: *SetNewTabPageURL*
+- GP element: *SetNewTabPageURLPrompt*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- Blank (default) - Load the default New tab page.
+- String - Prevent users from changing the New tab page. Enter a URL in string format, for example, https://www.msn.com.
+
+
+
+
+
+
+
+
+
+
+
**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
@@ -2514,9 +3730,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
-Most restricted value is 0.
+Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.
@@ -2528,11 +3742,13 @@ ADMX Info:
-The following list shows the supported values:
+Allowed values:
-- 0 (default) – Interstitial pages are not shown.
-- 1 – Interstitial pages are shown.
+- 0 (default) – No additional message displays.
+- 1 – Show an additional message stating that a site has opened in IE11.
+- 2 - Show an additional message with a "Keep going in Microsoft Edge" link.
+Most restricted value: 0
@@ -2612,6 +3828,73 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
+
+**Browser/UnlockHomeButton**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Next Windows 10 major release
+
+By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies.
+
+
+
+ADMX Info:
+- GP English name: *Unlock Home Button*
+- GP name: *UnlockHomeButton*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Allowed values:
+
+- 0 (default) - Lock down the home button to prevent users from making changes.
+- 1 - Let users make changes.
+
+
+
+
+
+
+
+
+
+
+
+
**Browser/UseSharedFolderForBooks**
@@ -2676,6 +3959,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 3fa83ab1c8..285c21097a 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 07/13/2018
---
# Policy CSP - DataUsage
@@ -33,67 +33,11 @@ ms.date: 03/12/2018
**DataUsage/SetCost3G**
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-This policy setting configures the cost of 3G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
-
-- Variable: This connection is costed on a per byte basis.
-
-If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
+This policy is deprecated in Windows 10, next major version.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP English name: *Set 3G Cost*
-- GP name: *SetCost3G*
-- GP path: *Network/WWAN Service/WWAN Media Cost*
-- GP ADMX file name: *wwansvc.admx*
-
-
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
new file mode 100644
index 0000000000..0d4c0d64c5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -0,0 +1,111 @@
+---
+title: Policy CSP - DmaGuard
+description: Policy CSP - DmaGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MariciaAlforque
+ms.date: 06/29/2018
+---
+
+# Policy CSP - DmaGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+
+## DmaGuard policies
+
+
+ -
+ DmaGuard/DeviceEnumerationPolicy
+
+
+
+
+
+
+
+**DmaGuard/DeviceEnumerationPolicy**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
+
+> [!Note]
+> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
+
+Supported values:
+
+0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
+
+1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen
+
+2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
+
+
+
+ADMX Info:
+- GP English name: *Enumeration policy for external devices incompatible with Kernel DMA Protection*
+- GP name: *DmaGuardEnumerationPolicy*
+- GP path: *System/Kernel DMA Protection*
+- GP ADMX file name: *dmaguard.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index aca458292c..f2dec99193 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/13/2018
---
# Policy CSP - Experience
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -19,6 +21,9 @@ ms.date: 05/14/2018
## Experience policies
+ -
+ Experience/AllowClipboardHistory
+
-
Experience/AllowCopyPaste
@@ -88,6 +93,77 @@ ms.date: 05/14/2018
+
+
+
+**Experience/AllowClipboardHistory**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Allows history of clipboard items to be stored in memory.
+
+Value type is integer. Supported values:
+- 0 - Not allowed
+- 1 - Allowed (default)
+
+
+
+ADMX Info:
+- GP English name: *Allow Clipboard History*
+- GP name: *AllowClipboardHistory*
+- GP path: *System/OS Policies*
+- GP ADMX file name: *OSPolicy.admx*
+
+
+
+
+
+
+
+
+
+**Validation procedure**
+
+1. Configure Experiences/AllowClipboardHistory to 0.
+1. Open Notepad (or any editor app), select a text, and copy it to the clipboard.
+1. Press Win+V to open the clipboard history UI.
+1. You should not see any clipboard item including current item you copied.
+1. The setting under Settings App->System->Clipboard should be grayed out with policy warning.
+
+
+
+
@@ -1313,6 +1389,7 @@ The following list shows the supported values:
+
Footnote:
@@ -1321,6 +1398,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index fe63238f62..07a7954820 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/12/2018
---
# Policy CSP - WindowsLogon
@@ -143,6 +143,31 @@ If you enable this policy setting, the PC's network connectivity state cannot be
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
+Here is an example to enable this policy:
+
+``` syntax
+
+
+
+ 300
+
+ 301
+ -
+
+ ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI
+
+
+ chr
+
+ ]]>
+
+
+
+
+
+
+```
+
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index d4fff403d1..5404820349 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -232,6 +232,24 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam
**RootCertificate3/Data**
The base 64 encoded blob of the H-SLP root certificate.
+**RootCertificate4/Name**
+Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+**RootCertificate4/Data**
+The base 64 encoded blob of the H-SLP root certificate.
+
+**RootCertificate5/Name**
+Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+**RootCertificate5/Data**
+The base 64 encoded blob of the H-SLP root certificate.
+
+**RootCertificate6/Name**
+Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+
+**RootCertificate6/Data**
+The base 64 encoded blob of the H-SLP root certificate.
+
**V2UPL1**
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index f1d6952717..708ac76bd8 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -12,6 +12,8 @@ ms.date: 06/28/2018
# WiFi CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range.
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index e8bbb6795d..a4ec65ad3c 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -12,6 +12,8 @@ ms.date: 06/28/2018
# WiFi DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 24786700eb..82c46fc738 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 10/09/2017
+ms.date: 07/16/2018
---
# WindowsLicensing CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices.
The following diagram shows the WindowsLicensing configuration service provider in tree format.
@@ -157,8 +160,27 @@ The data type is a chr.
The supported operation is Get.
+**SMode**
+Interior node for managing S mode.
+**SMode/SwitchingPolicy**
+Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+Supported values:
+- 0 - No Restriction: The user is allowed to switch the device out of S mode.
+- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
+
+**SMode/SwitchFromSMode**
+Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot.
+
+Supported operation is Execute.
+
+**SMode/Status**
+Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request.
+
+Value type is integer. Supported operation is Get.
## SyncML examples
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index df272ec6f1..8da5c10b5c 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -7,16 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 12/05/2017
+ms.date: 07/16/2017
---
# WindowsLicensing DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, next major version.
``` syntax
@@ -42,7 +45,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/WindowsLicensing
+ com.microsoft/1.3/MDM/WindowsLicensing
@@ -294,21 +297,101 @@ The XML below is the current version for this CSP.
+
+ SMode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SwitchingPolicy
+
+
+
+
+
+
+
+ Policy that determines whether a consumer can switch the device out of S mode
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SwitchFromSMode
+
+
+
+
+ Switches a device out of S mode if possible. Does not reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+ Returns the status of the latest SwitchFromSMode or SwitchingPolicy set request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
-```
-
-## Related topics
-
-
-[WindowsLicensing configuration service provider](windowslicensing-csp.md)
-
-
-
-
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 186c30961e..904711ae31 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -27,7 +27,10 @@ Use Start settings to apply a customized Start screen to devices.
## StartLayout
-Use StartLayout to select the LayoutModification.xml file that applies a customized Start screen to a device.
+Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device.
+
+>[!NOTE]
+>The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`.
For more information, see [Start layout XML for mobile editions of Windows 10 ](../mobile-devices/lockdown-xml.md)).
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 0c6c72bea1..a149748012 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -19,7 +19,7 @@
## [Deploy Windows 10](deploy.md)
-### [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md)
+### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md)
### [Windows 10 in S mode](windows-10-pro-in-s-mode.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index afe911bf76..08d10e29c7 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -38,7 +38,7 @@ New or changed topic | Description
## June 2017
| New or changed topic | Description |
|----------------------|-------------|
-| [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) | New |
+| [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) | New |
## April 2017
| New or changed topic | Description |
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index ee81d5f04f..8cde17231e 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -40,7 +40,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
-Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md).
+Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md).
### Upgrade Readiness
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 49d4048f3e..a38657a7be 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -17,7 +17,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|Topic |Description |
|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
diff --git a/windows/deployment/images/download.png b/windows/deployment/images/download.png
new file mode 100644
index 0000000000..266a2a196b
Binary files /dev/null and b/windows/deployment/images/download.png differ
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 494351fd7c..90965a2bd0 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 05/30/2018
-ms.localizationpriority: medium
+ms.date: 07/18/2018
+ms.localizationpriority: high
---
# SetupDiag
@@ -18,13 +18,33 @@ ms.localizationpriority: medium
>[!NOTE]
>This is a 300 level topic (moderate advanced).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
-[SetupDiag.exe](https://go.microsoft.com/fwlink/?linkid=870142) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+ [](https://go.microsoft.com/fwlink/?linkid=870142)
+
+## About SetupDiag
+
+Current version of SetupDiag: 1.3.1.0
+
+SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
-See the [Release notes](#release-notes) section at the bottom of this topic for information about updates to this tool.
+To quickly use SetupDiag on your current computer:
+1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
+2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
+3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
+4. When SetupDiag has finished downloading, open the folder where you downloaded the file. As mentioned above, by default this is your **Downloads** folder which is displayed in File Explorer under **Quick access** in the left navigation pane.
+5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program.
+ - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
+6. A command window will open while SetupDiag diagnoses your computer. Wait for this to finish.
+7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
+8. Use Notepad to open the log file: **SetupDiagResults.log**.
+9. Review the information that is displayed. If a rule was matched this can tell you why the computer failed to upgrade, and potentially how to fix the problem. See the [Text log sample](#text-log-sample) below.
+
+For instructions on how to run the tool in offline more and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
+
+The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool.
## Requirements
@@ -43,8 +63,9 @@ See the [Release notes](#release-notes) section at the bottom of this topic for
| /Output:\ | - This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
- Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
|
| /Mode:\ | - This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
- Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
- Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
- Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
- Default: If not specified, SetupDiag will run in Online mode.
|
| /LogsPath:\ | - This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
|
-| /ZipLogs:\ | - This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
- Default: If not specified, a value of 'true' is used.
|
+| /ZipLogs:\ | - This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
- Default: If not specified, a value of 'true' is used.
|
| /Verbose | - This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
|
+| /Format:\ | - This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
|
### Examples:
@@ -346,10 +367,26 @@ Each rule name and its associated unique rule identifier are listed with a descr
- Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code.
41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
- Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
-
+42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
+ - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
+43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9
+ - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code.
+44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9
+ - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code.
## Release notes
+07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
+ - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
+
+07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
+ - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
+ - New feature: Ability to output logs in JSON and XML format.
+ - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
+ - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
+ - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
+ - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
+
05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
- Fixed a bug in device install failure detection in online mode.
- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
@@ -364,6 +401,84 @@ Each rule name and its associated unique rule identifier are listed with a descr
03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
+## Sample logs
+
+### Text log sample
+
+```
+Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
+System Information:
+ Machine Name = Offline
+ Manufacturer = MSI
+ Model = MS-7998
+ HostOSArchitecture = x64
+ FirmwareType = PCAT
+ BiosReleaseDate = 20160727000000.000000+000
+ BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
+ BiosVersion = 1.70
+ HostOSVersion = 10.0.15063
+ HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
+ TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
+ HostOSLanguageId = 2057
+ HostOSEdition = Core
+ RegisteredAV = Windows Defender,
+ FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
+ UpgradeStartTime = 3/21/2018 9:47:16 PM
+ UpgradeEndTime = 3/21/2018 10:02:40 PM
+ UpgradeElapsedTime = 00:15:24
+ ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
+
+Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
+Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
+Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
+Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information.
+```
+
+### XML log sample
+
+```
+
+
+ 1.3.0.0
+ DiskSpaceBlockInDownLevel
+ 6080AFAC-892E-4903-94EA-7A17E69E549E
+
+ Offline
+ Microsoft Corporation
+ Virtual Machine
+ x64
+ UEFI
+ 20171012000000.000000+000
+ Hyper-V UEFI Release v2.5
+ Hyper-V UEFI Release v2.5
+ 10.0.14393
+ 14393.1794.amd64fre.rs1_release.171008-1615
+ 10.0.16299.15 (rs3_release.170928-1534)
+ 1033
+ Core
+
+
+ 2017-12-21T12:56:22
+
+ 2017-12-21T13:22:46
+ 0001-01-01T00:00:00
+ 0001-01-01T00:00:00
+
+ Offline
+ 06600fcd-acc0-40e4-b7f8-bb984dc8d05a
+ 06600fcd-acc0-40e4-b7f8-bb984dc8d05a
+
+ Warning: Found Disk Space Hard Block.
+ You must free up at least "6603" MB of space on the System Drive, and try again.
+
+```
+
+### JSON log sample
+
+```
+{"Version":"1.3.0.0","ProfileName":"DiskSpaceBlockInDownLevel","ProfileGuid":"6080AFAC-892E-4903-94EA-7A17E69E549E","SystemInfo":{"BiosReleaseDate":"20171012000000.000000+000","BiosVendor":"Hyper-V UEFI Release v2.5","BiosVersion":"Hyper-V UEFI Release v2.5","CV":null,"CommercialId":"Offline","FilterDrivers":"","FirmwareType":"UEFI","HostOSArchitecture":"x64","HostOSBuildString":"14393.1794.amd64fre.rs1_release.171008-1615","HostOSEdition":"Core","HostOSLanguageId":"1033","HostOSVersion":"10.0.14393","MachineName":"Offline","Manufacturer":"Microsoft Corporation","Model":"Virtual Machine","RegisteredAV":"","ReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","RollbackElapsedTime":"PT0S","RollbackEndTime":"\/Date(-62135568000000-0800)\/","RollbackStartTime":"\/Date(-62135568000000-0800)\/","SDMode":1,"SetupReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","TargetOSArchitecture":null,"TargetOSBuildString":"10.0.16299.15 (rs3_release.170928-1534)","UpgradeElapsedTime":"PT26M24S","UpgradeEndTime":"\/Date(1513891366000-0800)\/","UpgradeStartTime":"\/Date(1513889782000-0800)\/"},"FailureData":["Warning: Found Disk Space Hard Block."],"DeviceDriverInfo":null,"Remediation":["You must free up at least \"6603\" MB of space on the System Drive, and try again."]}
+```
+
## Related topics
[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 3bdaf3e0ba..13ef2ce85b 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -1,8 +1,23 @@
-# [Overview of Windows Autopilot](windows-10-autopilot.md)
-
-## [The Windows Autopilot Deployment Program in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
-## [The Windows Autopilot Deployment Program in Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
-## [The Windows Autopilot Deployment Program in Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-## [The Windows Autopilot Deployment Program in Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
-## [Demo the Windows Autopilot Deployment Program on a Virtual Machine](windows-10-autopilot-demo-vm.md)
-
+# [Windows Autopilot](windows-autopilot.md)
+## [Requirements](windows-autopilot-requirements.md)
+### [Configuration requirements](windows-autopilot-requirements-configuration.md)
+### [Network requirements](windows-autopilot-requirements-network.md)
+### [Licensing requirements](windows-autopilot-requirements-licensing.md)
+## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
+### [User-driven mode](user-driven.md)
+### [Self-deploying mode](self-deploying.md)
+### [Enrollment status page](enrollment-status.md)
+### [Windows Autopilot Reset](windows-autopilot-reset.md)
+#### [Remote reset](windows-autopilot-reset-remote.md)
+#### [Local reset](windows-autopilot-reset-local.md)
+## Administering Autopilot
+### [Configuring](configure-autopilot.md)
+#### [Adding devices](add-devices.md)
+#### [Creating profiles](profiles.md)
+### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+## Getting started
+### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
+## [Troubleshooting](troubleshooting.md)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
new file mode 100644
index 0000000000..f01143dd4c
--- /dev/null
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -0,0 +1,67 @@
+---
+title: Adding devices
+description: How to add devices to Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Adding devices to Windows Autopilot
+
+**Applies to**
+
+- Windows 10
+
+Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
+
+## Device identification
+
+To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
+
+The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.
+
+Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot Deployment Service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as motherboard replacement, would not match, so the device would need to be re-uploaded.
+
+## Collecting the hardware ID from existing devices using PowerShell
+
+The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
+
+To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used:
+
+*md c:\\HWID*
+
+*Set-Location c:\\HWID*
+
+*Set-ExecutionPolicy Unrestricted*
+
+*Install-Script -Name Get-WindowsAutoPilotInfo*
+
+*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
+
+Note that you must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+
+## Collecting the hardware ID from existing devices using System Center Configuration Manager
+
+Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
+
+## Uploading hardware IDs
+
+Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:
+
+For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
+
+- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+
+- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+
+- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+
+- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
+
+For those using Microsoft Intune, devices should normally be uploaded via Intune; for those using Microsoft 365 Business, its administrative portal would be used. For [Cloud Solution Provider (CSP)](https://partnercenter.microsoft.com/en-us/partner/cloud-solution-provider) partners uploading devices on the behalf of a customer that they are authorized to manage, Partner Center can be used. For any other scenario, the Microsoft Store for Business is available.
diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md
new file mode 100644
index 0000000000..c5856a1af6
--- /dev/null
+++ b/windows/deployment/windows-autopilot/configure-autopilot.md
@@ -0,0 +1,32 @@
+---
+title: Configure Autopilot deployment
+description: How to configure Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Configure Autopilot deployment
+
+**Applies to**
+
+- Windows 10
+
+## Deploying new devices
+
+When deploying new devices using Windows Autopilot, a common set of steps are required:
+
+1. [Register devices with the Windows Autopilot deployment service](add-devices.md). Ideally, this step would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
+
+2. [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
+
+3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience.
+
+
+
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
similarity index 94%
rename from windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
rename to windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index a093eb31cd..ca44b1c9f9 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,5 +1,5 @@
---
-title: Demo the Windows Autopilot Deployment Program on a Virtual Machine
+title: Demonstrate Autopilot deployment on a VM
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
@@ -8,11 +8,11 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
-ms.author: coreyp
-ms.date: 05/09/18
+ms.author: greg-lindsay
+ms.date: 07/13/18
---
-# Demo the Windows Autopilot Deployment Program on a Virtual Machine
+# Demonstrate Autopilot deployment on a VM
**Applies to**
@@ -27,10 +27,10 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a Vi
These are the thing you'll need on your device to get started:
* Installation media for the latest version of Windows 10 Professional or Enterprise (ISO file)
-* Internet access (see [Network connectivity requirements](windows-10-autopilot.md#network-connectivity-requirements))
+* Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements))
* Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
-See additional prerequisites in the [Windows Autopilot overview topic](windows-10-autopilot.md#prerequisites).
+See additional prerequisites in the [Windows Autopilot overview topic](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#prerequisites).
## Create your Virtual Machine
@@ -209,4 +209,3 @@ Once you select a language and a keyboard layout, your company branded sign-in s
Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
-Missing something in this topic? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-autopilot-demo-vm.md).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
new file mode 100644
index 0000000000..a63c814e8c
--- /dev/null
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -0,0 +1,52 @@
+---
+title: Windows Autopilot Enrollment Status page
+description: Gives an overview of the enrollment status page capabilities, configuration
+keywords: Autopilot Plug and Forget, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Enrollment Status page
+
+The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.
+
+ 
+
+## Available settings
+
+ The following settings can be configured:
+
+ - Show app and profile installation progress. When enabled, the Enrollment Status page is displayed.
+ - Block device use until all apps and profiles are installed. When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete. When not enabled, the user can dismiss the page at any time.
+ - Allow users to reset device if installation errors occur.
+ - Allow users to use device if installation errors occur.
+ - Show error when installation takes longer than the specified number of minutes.
+ - Show custom error message when an error occurs.
+ - Allow users to collect logs about installation errors.
+
+## Installation progresss tracked
+
+The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include:
+
+- Certain types of app installations.
+ - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisemodernappmanagement-csp).
+ - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp).
+- Certain device configuration policies.
+
+Presently the following types of policies are not tracked:
+
+- Intune Management Extentions PowerShell scripts.
+- Office 365 ProPlus installations.
+- System Center Configuration Manager apps, packages, and task sequences.
+
+## For more information
+
+For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp).
+
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png
new file mode 100644
index 0000000000..d86cb57895
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png
new file mode 100644
index 0000000000..f6fa6d3467
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png differ
diff --git a/windows/deployment/windows-autopilot/images/enrollment-status-page.png b/windows/deployment/windows-autopilot/images/enrollment-status-page.png
new file mode 100644
index 0000000000..9bb550c20b
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enrollment-status-page.png differ
diff --git a/windows/deployment/windows-autopilot/images/image1.png b/windows/deployment/windows-autopilot/images/image1.png
new file mode 100644
index 0000000000..ed70e84120
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/image1.png differ
diff --git a/windows/deployment/windows-autopilot/images/image2.png b/windows/deployment/windows-autopilot/images/image2.png
new file mode 100644
index 0000000000..9790d50b35
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/image2.png differ
diff --git a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png
new file mode 100644
index 0000000000..3ab1e4b304
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png differ
diff --git a/windows/deployment/windows-autopilot/images/windows_glyph.png b/windows/deployment/windows-autopilot/images/windows_glyph.png
new file mode 100644
index 0000000000..3a41d4dfb1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/windows_glyph.png differ
diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md
new file mode 100644
index 0000000000..fc61dba235
--- /dev/null
+++ b/windows/deployment/windows-autopilot/profiles.md
@@ -0,0 +1,35 @@
+---
+title: Configure Autopilot profiles
+description: How to configure Windows Autopilot deployment
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/18
+---
+
+# Configure Autopilot profiles
+
+**Applies to**
+
+- Windows 10
+
+For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available:
+
+- **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process.
+
+- **Automatically setup for work or school**. All devices registered with Autopilot will automatically be considered work or school devices, so this question will not be asked during the OOBE process.
+
+- **Sign in experience with company branding**. Instead of presenting a generic Azure Active Directory sign-in page, all devices registered with Autopilot will automatically present a customized sign-in page with the organization’s name, logon, and additional help text, as configured in Azure Active Directory. See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory) to customize these settings.
+
+- **Skip privacy settings**. This optional Autopilot profile setting enables organizations to not ask about privacy settings during the OOBE process. This is typically desirable so that the organization can configure these settings via Intune or other management tool.
+
+- **Disable local admin account creation on the device**. Organizations can decide whether the user setting up the device should have administrator access once the process is complete.
+
+- **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users.
+
+- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details.
diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md
new file mode 100644
index 0000000000..b75fced878
--- /dev/null
+++ b/windows/deployment/windows-autopilot/rip-and-replace.md
@@ -0,0 +1,19 @@
+---
+title: Rip and Replace
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Rip and replace
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH. Just a placeholder for now, coming with 1809.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
new file mode 100644
index 0000000000..278068cc1c
--- /dev/null
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -0,0 +1,76 @@
+---
+title: Windows Autopilot Self-Deploying mode (Preview)
+description: Gives an overview of Autopilot Plug and Forget and how to use it.
+keywords: Autopilot Plug and Forget, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Self-Deploying mode (Preview)
+
+**Applies to: Windows 10, build 17672 or later**
+
+Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required.
+>[!NOTE]
+>In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details.
+
+
+
+>[!NOTE]
+>While today there is a “Next” button that must be clicked to continue the deployment process, and an Activities opt-in page in OOBE, both of these will be removed in future Insider Preview builds to enable a completely automated deployment process – no user authentication or user interaction will be required.
+
+Self-deploying mode can register the device into an organization’s Azure Active Directory tenant, enroll the device in the organization’s mobile device management (MDM) provider (leveraging Azure AD for automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device before the user ever logs on (levering the enrollment status page to prevent access to the desktop until the device is fully provisioned).
+
+>[!NOTE]
+>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
+
+Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode.
+
+>[!NOTE]
+>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error.
+
+Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details.
+
+Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate.
+
+## Step by step
+
+In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each machine that will be deployed using self-deploying mode, these additional steps are needed:
+
+- Ensure that the device supports TPM 2.0 and device attestation. (Note that virtual machines are not supported.)
+- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+- Ensure an Autopilot profile has been assigned to the device:
+ - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+ - If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+ - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+## Validation
+
+When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- Once connected to a network, the Autopilot profile will be downloaded.
+- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
+ - If multiple languages are preinstalled in Windows 10, the user must pick a language.
+ - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- The [enrollment status page](enrollment-status.md) will be displayed.
+- Depending on the device settings deployed, the device will either:
+ - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
+ - Automatically sign in as a local account, for devices configured as a kiosk or digital signage.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
new file mode 100644
index 0000000000..6a9b183060
--- /dev/null
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -0,0 +1,92 @@
+---
+title: Troubleshooting Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Troubleshooting Windows Autopilot
+
+**Applies to: Windows 10**
+
+Windows Autopilot is designed to simplify all parts of the Windows device lifecycle, but there are always situations where issues may arise, either due to configuration or other issues. To assist with troubleshooting efforts, review the following information.
+
+## Windows Autopilot deployment
+
+Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device:
+
+- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
+- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
+- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
+- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
+- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
+- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
+
+For troubleshooting, key activities to perform are:
+
+- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements-configuration.md)?
+- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements-network.md)?
+- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
+- Azure AD join issues. Was the device able to join Azure Active Directory?
+- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
+
+### Troubleshooting Autopilot OOBE issues
+
+If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that.
+
+#### Windows 10 version 1803 and above
+
+To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration.
+
+| Event ID | Type | Description |
+|----------|------|-------------|
+| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
+| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. |
+| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
+| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. |
+| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
+| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
+| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
+| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. |
+| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
+| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” |
+| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
+| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. |
+
+In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.
+
+#### Windows 10 version 1709 and above
+
+On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include:
+
+| Value | Description |
+|-------|-------------|
+| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. |
+| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. |
+| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.|
+| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
+| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. |
+| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
+
+#### Windows 10 version 1703 and above
+
+On Windows 10 version 1703 and above, ETW tracing can be used to capture detailed information from Autopilot and related components. The resulting ETW trace files can then be viewed using the Windows Performance Analyzer or similar tools. See [the advanced troubleshooting blog](https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-windows-autopilot-level-300400/) for more information.
+
+### Troubleshooting Azure AD Join issues
+
+The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
+
+Error code 801C0003 will typically be reported on an error page titled "Something went wrong." This error means that the Azure AD join failed.
+
+### Troubleshooting Intune enrollment issues
+
+See [this knowledge base article](https://support.microsoft.com/en-us/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.
+
+Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong." This error means that the MDM enrollment failed.
diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md
new file mode 100644
index 0000000000..9d2d62ae45
--- /dev/null
+++ b/windows/deployment/windows-autopilot/user-driven-aad.md
@@ -0,0 +1,19 @@
+---
+title: User-driven mode for AAD
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot user-driven mode for Azure Active Directory
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md.
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
new file mode 100644
index 0000000000..3f65705d3f
--- /dev/null
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -0,0 +1,20 @@
+---
+title: Hybrid AAD Join
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+
+# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time.
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
new file mode 100644
index 0000000000..761a0c5fe2
--- /dev/null
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -0,0 +1,62 @@
+---
+title: Windows Autopilot User-Driven Mode
+description: Canonical Autopilot scenario
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot User-Driven Mode
+
+**Applies to: Windows 10 version 1703 and above**
+
+Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions:
+
+- Unbox the device, plug it in, and turn it on.
+- Choose a language, locale and keyboard.
+- Connect it to a wireless or wired network with internet access.
+- Specify your e-mail address and password for your organization account.
+
+After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available.
+
+Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
+
+## Step by step
+
+In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed:
+
+- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information.
+- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected.
+- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
+
+For each machine that will be deployed using user-driven deployment, these additional steps are needed:
+
+- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information.
+- Ensure an Autopilot profile has been assigned to the device:
+ - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically.
+ - If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
+ - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
+
+## Validation
+
+When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed:
+
+- If multiple languages are preinstalled in Windows 10, the user must pick a language.
+- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
+- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
+- Once connected to a network, the Autopilot profile will be downloaded.
+- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
+- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text.
+- Once correct credentials have been entered, the device will join Azure Active Directory.
+- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
+- If configured, the [enrollment status page](enrollment-status.md) will be displayed.
+- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided.
+- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks.
+
+In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
new file mode 100644
index 0000000000..ffc0f40009
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
@@ -0,0 +1,34 @@
+---
+title: Windows Autopilot configuration requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot configuration requirements
+
+**Applies to: Windows 10**
+
+Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios.
+
+- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services.
+- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
+- Enable [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
+
+Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
+
+- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
+- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
+
+See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
+
+For a walkthrough for some of these and related steps, see this video:
+
+
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
new file mode 100644
index 0000000000..cb4b220902
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
@@ -0,0 +1,39 @@
+---
+title: Windows Autopilot licensing requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot licensing requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
+
+- Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported.
+
+- One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
+
+ - Microsoft 365 Business subscriptions
+
+ - Microsoft 365 F1 subscriptions
+
+ - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
+
+ - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
+
+ - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
+
+Additionally, the following are also recommended but not required:
+
+- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
+
+- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
new file mode 100644
index 0000000000..6ed585912e
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
@@ -0,0 +1,83 @@
+---
+title: Windows Autopilot networking requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot networking requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on a variety of internet-based services; access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
+
+- Ensure DNS name resolution for internet DNS names
+
+- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+
+In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
+
+- **Windows Autopilot Deployment Service (and Windows Activation).** After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
+
+ -
+
+- **Azure Active Directory.** User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information:
+
+ -
+
+- **Intune.** Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details:
+
+ - (Network communication requirements section)
+
+- **Windows Update.** During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates.
+
+ -
+
+ - NOTE: If Windows Update is inaccessible, the AutoPilot process will still continue.
+
+- **Delivery Optimization.** When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices don’t need to download it from the internet.
+
+ -
+
+ - NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
+
+- **Network Time Protocol (NTP) Sync.** When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
+
+ - Ensure that UDP port 123 to time.windows.com is accessible.
+
+- **Domain Name Services (DNS).** To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP. This DNS server must be able to resolve internet names.
+
+- **Diagnostics data.** To enable Windows Analytics and related diagnostics capabilities, see the following documentation:
+
+ -
+
+ - NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue.
+
+- **Network Connection Status Indicator (NCSI).** Windows must be able to tell that the device is able to access the internet.
+
+ - (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP)
+
+- **Windows Notification Services (WNS).** This service is used to enable Windows to receive notifications from apps and services.
+
+ - (Microsoft store section)
+
+ - NOTE: If the WNS services are not available, the Autopilot process will still continue.
+
+- **Microsoft Store, Microsoft Store for Business.** Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM). App updates and additional apps may also be needed when the user first logs in.
+
+ - (also includes Azure AD and Windows Notification Services)
+
+ - NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue.
+
+- **Office 365.** As part of the Intune device configuration, installation of Office 365 ProPlus may be required.
+
+ - (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
+
+- **Certificate revocation lists (CRLs).** Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented in the Office documentation at and .
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
new file mode 100644
index 0000000000..1ffd9e4582
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -0,0 +1,23 @@
+---
+title: Windows Autopilot requirements
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot requirements
+
+**Applies to: Windows 10**
+
+Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met:
+
+- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met.
+- [Networking requirements](windows-autopilot-requirements-network.md) need to be met.
+- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
new file mode 100644
index 0000000000..408201cc01
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@@ -0,0 +1,64 @@
+---
+title: Reset devices using local Windows Autopilot Reset
+description: Gives an overview of Local Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Reset devices with local Windows Autopilot Reset
+
+**Applies to: Windows 10, version 1709 and above
+
+IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
+
+To enable local Autopilot Reset in Windows 10:
+
+1. [Enable the policy for the feature](#enable-autopilot-reset)
+2. [Trigger a reset for each device](#trigger-autopilot-reset)
+
+## Enable local Windows Autopilot Reset
+
+To enable a local Windows Autopilot Reset, the **DisableAutomaticReDeploymentCredentials** policy must be configured. This policy is documented in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, local Windows Autopilot is disabled. This ensures that a local Autopilot Reset is not triggered by accident.
+
+You can set the policy using one of these methods:
+
+- MDM provider
+
+ - When using Intune, you can create a new device configuration profile, specifying "Windows 10 or later" for the platform, "Device restrictions" for the profile type, and "General" for the settings category. The **Automatic Redeployment** setting should be set to **Allow**. Deploy this setting to all devices where a local reset should be permitted.
+ - If you're using an MDM provider other than Intune, check your MDM provider documentation on how to set this policy.
+
+- Windows Configuration Designer
+
+ You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting to 0 and then create a provisioning package.
+
+- Set up School PCs app
+
+ The latest release of the Set up School PCs app supports enabling local Windows Autopilot Reset.
+
+## Trigger local Windows Autopilot Reset
+
+Performing a local Windows Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it is done, the device is again ready for use.
+
+**To trigger a local Autopilot Reset**
+
+1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
+
+ 
+
+ This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
+ 1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
+ 2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
+
+ 
+
+2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
+
+ Once the local Autopilot Reset is triggered, the reset process starts. Once provisioning is complete, the device is again ready for use.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
new file mode 100644
index 0000000000..fe614b16a0
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -0,0 +1,36 @@
+---
+title: Reset devices with remote Autopilot Reset (Preview)
+description: Gives an overview of remote Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Reset devices with remote Windows Autopilot Reset (Preview)
+
+**Applies to: Windows 10, build 17672 or later**
+
+When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
+
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md).
+
+## Triggering a remote Windows Autopilot Reset
+
+To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
+
+- Navigate to **Devices** tab in the Intune console.
+- In the **All devices** view, select the targeted reset devices and then click **More** to view device actions.
+- Select **Autopilot Reset** to kick-off the reset task.
+
+>[!NOTE]
+>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
+
+Once the reset is complete, the device is again ready for use.
+
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
new file mode 100644
index 0000000000..6093540d82
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -0,0 +1,53 @@
+---
+title: Windows Autopilot Reset
+description: Gives an overview of Remote Autopilot Reset and how to use it.
+keywords: Autopilot Reset, Windows 10
+ms.prod: w10
+ms.technology: Windows
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype:
+ms.localizationpriority: high
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot Reset
+
+**Applies to: Windows 10**
+
+Windows Autopilot Reset removes personal files, apps, and settings and reapplies a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune so that the device is once again ready for use. Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply.
+
+The Windows Autopilot Reset process automatically retains information from the existing device:
+
+- Set the region, language, and keyboard to the originally-configured values.
+- Wi-Fi connection details.
+- Provisioning packages previously applied to the device, as well as a provisioning package present on a USB drive when the reset process is initiated.
+- Azure Active Directory device membership and MDM enrollment information.
+
+Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages. For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed. This requires configuring the device to use the [enrollment status page](enrollment-status.md).
+
+>[!IMPORTANT]
+>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
+
+## Scenarios
+
+Windows Autopilot Reset supports two scenarios:
+
+- [Local reset](windows-autopilot-reset-local.md), initiated by IT personnel or other administrators from the organization.
+- [Remote reset](windows-autopilot-reset-remote.md), initiated remotely by IT personnel via an MDM service such as Microsoft Intune.
+
+Additional requirements and configuration details apply with each scenario; see the detailed links above for more information.
+
+## Troubleshooting
+
+Windows Autopilot Reset requires that the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is correctly configured and enabled on the device. If it is not configured and enabled, an error such as `Error code: ERROR_NOT_SUPPORTED (0x80070032)` will be reported.
+
+To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+
+```
+reagentc /enable
+```
+
+If Windows Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
new file mode 100644
index 0000000000..2618056f2d
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -0,0 +1,26 @@
+---
+title: Windows Autopilot scenarios
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Windows Autopilot scenarios
+
+**Applies to: Windows 10**
+
+Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management).
+
+For details about these scenarios, see these additional topics:
+
+- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person.
+- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.
+- [Windows Autopilot Reset](windows-autopilot-reset.md),
+
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
new file mode 100644
index 0000000000..39eb571f2a
--- /dev/null
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -0,0 +1,26 @@
+---
+title: Overview of Windows Autopilot
+description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Overview of Windows Autopilot
+
+**Applies to: Windows 10**
+
+Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.
+
+
+
+When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images as well as drivers for every model of device being used. Instead of re-imaging the device, that existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise, to support advanced features).
+
+Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.
+
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
index 4b824f3b1d..9c969844b3 100644
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ b/windows/privacy/windows-personal-data-services-configuration.md
@@ -109,7 +109,7 @@ This setting determines whether a device shows notifications about Windows diagn
>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection |
>| **Value** | DisableTelemetryOptInChangeNotification |
>| **Type** | REG_DWORD |
->| **Setting** | "00000001" |
+>| **Setting** | "00000000" |
#### MDM
diff --git a/windows/security/TOC.md b/windows/security/TOC.md
index 1a508b07b8..ad302db477 100644
--- a/windows/security/TOC.md
+++ b/windows/security/TOC.md
@@ -1,5 +1,7 @@
# [Security](index.yml)
## [Identity and access management](identity-protection/index.md)
-## [Threat protection](threat-protection/index.md)
## [Information protection](information-protection/index.md)
-## [Hardware-based protection](hardware-protection/index.md)
\ No newline at end of file
+## [Hardware-based protection](hardware-protection/index.md)
+## [Threat protection](threat-protection/index.md)
+
+
diff --git a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 95c6095ae0..3b52d2e805 100644
--- a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -28,7 +28,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
-For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
## About TPM initialization and ownership
@@ -165,7 +165,7 @@ This capability was fully removed from TPM.msc in later versions of Windows.
## Use the TPM cmdlets
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 15a3fdc61d..d4cda1fcb1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -217,7 +217,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**.
6. In the **Applies to** list box, select **Descendant User objects**.
7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
-8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
9. Click **OK** three times to complete the task.
## Configure the Device Registration Service
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 3b76fcd29c..ce00462dc9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -38,7 +38,7 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**.
6. In the **Applies to** list box, select **Descendant User objects**.
7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
-8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
9. Click **OK** three times to complete the task.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index b928c6db2b..05c303413e 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -14,7 +14,7 @@ metadata:
keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3
- ms.localizationpriority: medium
+ ms.localizationpriority: high
author: brianlic-msft
@@ -22,7 +22,7 @@ metadata:
manager: brianlic
- ms.date: 02/06/2018
+ ms.date: 07/12/2018
ms.topic: article
@@ -78,199 +78,17 @@ sections:
title: Information protection
-- title: Security features built in to Windows 10
-
+- title: Windows Defender Advanced Threat Protection
items:
-
- - type: paragraph
-
- text: 'Windows 10 enables critical security features to protect your device right from the start.'
-
- - type: list
-
- style: cards
-
- className: cardsM
-
- columns: 3
-
- items:
-
- - href: \windows\security\hardware-protection\how-hardware-based-containers-help-protect-windows
-
- html: Protect the boot process and maintain system integrity
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_identity-protection.svg
-
- title: Windows Defender System Guard
-
- - href: \windows\security\threat-protection\windows-defender-antivirus\windows-defender-antivirus-in-windows-10
-
- html: Protect against malware management using next-generation antivirus technologies
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
- title: Windows Defender Antivirus
-
- - href: \windows\security\information-protection\bitlocker\bitlocker-overview
-
- html: Prevent data theft from lost or stolen devices
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_information-protection.svg
-
- title: BitLocker
-
-- title: Security features in Microsoft 365 E3
-
- items:
-
- - type: paragraph
-
- text: 'Windows 10 Enterprise provides the foundation for Microsoft 365 E3 and a secure modern workplace.'
-
- - type: list
-
- style: cards
-
- className: cardsM
-
- columns: 3
-
- items:
-
- - href: \windows\security\identity-protection\hello-for-business\hello-overview
-
- html: Give users a more personal and secure way to access their devices
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_identity-protection.svg
-
- title: Windows Hello for Business
-
- - href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
-
- html: Lock down applications that run on a device
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
- title: Windows Defender Application Control
-
- - href: \windows\security\information-protection\windows-information-protection\protect-enterprise-data-using-wip
-
- html: Prevent accidental data leaks from enterprise devices
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_information-protection.svg
-
- title: Windows Information Protection
-
-- title: Security features in Microsoft 365 E5
-
- items:
-
- - type: paragraph
-
- text: 'Get all of the protection from Microsoft 365 E3 security, plus these cloud-based security features to help you defend against even the most advanced threats.'
-
- - type: list
-
- style: cards
-
- className: cardsM
-
- columns: 3
-
- items:
-
- - href: https://docs.microsoft.com/azure/active-directory/active-directory-identityprotection
-
- html: Identity Protection and Privileged Identity Management
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_identity-protection.svg
-
- title: Azure Active Directory P2
-
- - href: \windows\security\threat-protection\Windows-defender-atp\windows-defender-advanced-threat-protection
-
- html: Detect, investigate, and respond to advanced cyberattacks
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_threat-protection.svg
-
- title: Windows Defender Advanced Threat Protection
-
- - href: https://www.microsoft.com/cloud-platform/azure-information-protection
-
- html: Protect documents and email automatically
-
- image:
-
- src: https://docs.microsoft.com/media/common/i_information-protection.svg
-
- title: Azure Information Protection P2
-
-- title: Videos
-
- items:
-
- type: markdown
-
- text: ">[](https://www.youtube.com/watch?v=IvZySDNfNpo)"
-
- - type: markdown
-
- text: ">[](https://www.youtube.com/watch?v=JDGMNFwyUg8)"
-
-- title: Additional security features in Windows 10
-
- items:
-
- - type: paragraph
-
- text: 'These additional security features are also built in to Windows 10 Enterprise.'
-
- - type: list
-
- style: unordered
-
- items:
-
- - html: Windows Defender Firewall
- - html: Windows Defender Exploit Guard
- - html: Windows Defender Credential Guard
- - html: Windows Defender Application Control
- - html: Windows Defender Application Guard
- - html: Windows Defender SmartScreen
- - html: Windows Defender Security Center
-
-- title: Security Resources
-
- items:
-
- - type: list
-
- style: unordered
-
- items:
-
- - html: Windows Defender Security Intelligence
- - html: Microsoft Secure blog
- - html: Security Update blog
- - html: Microsoft Security Response Center (MSRC)
- - html: MSRC Blog
- - html: Ransomware FAQ
-
-
+ text: "
+ Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
+
+ | Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture |
+ [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)
[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)
[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)
[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)
[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) |
+ [Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) |
+ [Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)
[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)
[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)
[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)
[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)
[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) |
+ [Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)
[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)
[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations) |
+ [Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)
[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection) |
+
+
"
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index cd19782c52..e32e8560b9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 10/27/2017
+ms.date: 07/18/2018
---
# BitLocker Management Recommendations for Enterprises
@@ -55,7 +55,7 @@ Windows continues to be the focus for new features and improvements for built-in
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
-For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management[1] (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management[1]. Using MBAM provides the following functionality:
- Encrypts device with BitLocker using MBAM
- Stores BitLocker Recovery keys in MBAM Server
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 8ece2a49c9..d96b9d9dc8 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,876 +1,916 @@
# [Threat protection](index.md)
-## [The Windows Defender Security Center app](windows-defender-security-center/windows-defender-security-center.md)
-### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
-### [Hide Windows Defender Security Center app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-### [Manage Windows Defender Security Center in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
-### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
-### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-### [Device security](windows-defender-security-center\wdsc-device-security.md)
-### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-### [Family options](windows-defender-security-center\wdsc-family-options.md)
-
## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
-###Get started
-#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
-### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-#### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune)
-##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-#### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-#### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-#### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-#### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-#### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
+####Get started
+##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
+##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
+##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
+##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
+#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
+##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
+##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
+##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
-###Investigate and remediate threats
-####Alerts queue
-##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
-##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
-##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
-##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
+####Investigate and remediate threats
+#####Alerts queue
+###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
+###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
+###### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
+###### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
+###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
+###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
+###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
-####Machines list
-##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+#####Machines list
+###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
+###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+####### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+####### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+####### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
-##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+##### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+###### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+####### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+####### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+####### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+####### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
-#### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-##### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+####### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+###### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
+###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
+####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
+#### [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
-###API and SIEM support
-#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+####API and SIEM support
+##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
+###### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
+###### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
-#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
-##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
-##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
-##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+#######Actor
+######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#######Alerts
+######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+########Domain
+######### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+#######File
+######## [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+######## [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+#######IP
+######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#######Machines
+######## [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+######## [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+######## [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+######## [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+#######User
+######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-###Reporting
-#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+####Reporting
+##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
-###Check service health and sensor state
-#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
+####Check service health and sensor state
+##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-### [Configure Windows Defender ATP Settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-
-####General
-##### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-##### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-####Permissions
-##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-##### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
-
-####APIs
-##### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-
-####Rules
-##### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-##### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-##### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-##### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
-
-####Machine management
-##### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
-
-### [Configure Windows Defender ATP time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
-
-### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-#### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
-
-## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-
-### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
+#####General
+###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
+###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
+###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
+###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+#####Permissions
+###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
+###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
+
+#####APIs
+###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+#####Rules
+###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
+#####Machine management
+###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
+###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+
+#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+
+#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
+##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+### [Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
+#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
+#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
-### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-##### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-##### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-##### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-##### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-#### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
-#### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
-##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
-##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
-##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
+##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-##### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-##### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-#### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-#### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-#### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
+##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
+###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
+###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
+###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
+##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
+###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
+###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
+###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
+#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
+##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
-### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
+###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
-## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
-### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
-### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
-#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
-### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
+#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
+###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
+#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
-### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
-#### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-#### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
-## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
-
-## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-
-## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
-### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
-
-##[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
-###[System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-
-## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-
-## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-
-## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
-
-## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-
-## [Security auditing](auditing/security-auditing-overview.md)
-### [Basic security audit policies](auditing/basic-security-audit-policies.md)
-#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
-#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
-#### [View the security event log](auditing/view-the-security-event-log.md)
-#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
-##### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
-##### [Audit account management](auditing/basic-audit-account-management.md)
-##### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
-##### [Audit logon events](auditing/basic-audit-logon-events.md)
-##### [Audit object access](auditing/basic-audit-object-access.md)
-##### [Audit policy change](auditing/basic-audit-policy-change.md)
-##### [Audit privilege use](auditing/basic-audit-privilege-use.md)
-##### [Audit process tracking](auditing/basic-audit-process-tracking.md)
-##### [Audit system events](auditing/basic-audit-system-events.md)
-### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-#### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-#### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-##### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-#### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-##### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-##### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
-##### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
-##### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
-##### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
-##### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
-##### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
-##### [Monitor claim types](auditing/monitor-claim-types.md)
-#### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
-##### [Audit Credential Validation](auditing/audit-credential-validation.md)
-###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
-###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
-###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
-###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
-##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
-###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
-###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
-###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
-##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
-###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
-###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
-###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
-##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
-##### [Audit Application Group Management](auditing/audit-application-group-management.md)
-##### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
-###### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
-###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
-###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
-##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
-###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
-###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
-###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
-###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
-###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
-##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
-###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
-##### [Audit Security Group Management](auditing/audit-security-group-management.md)
-###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
-###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
-###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
-###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
-###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
-###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
-###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
-##### [Audit User Account Management](auditing/audit-user-account-management.md)
-###### [Event 4720 S: A user account was created.](auditing/event-4720.md)
-###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
-###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
-###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
-###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
-###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
-###### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
-###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
-###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
-###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
-###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
-###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
-###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
-###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
-###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
-###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
-###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
-##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
-###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
-###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
-###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
-###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
-##### [Audit PNP Activity](auditing/audit-pnp-activity.md)
-###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
-###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
-###### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
-###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
-###### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
-###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
-###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
-##### [Audit Process Creation](auditing/audit-process-creation.md)
-###### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
-###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
-##### [Audit Process Termination](auditing/audit-process-termination.md)
-###### [Event 4689 S: A process has exited.](auditing/event-4689.md)
-##### [Audit RPC Events](auditing/audit-rpc-events.md)
-###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
-##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
-###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
-###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
-###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
-###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
-###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
-###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
-###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
-###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
-##### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
-###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
-###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
-###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
-###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
-###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
-###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
-##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
-###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
-###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
-##### [Audit Account Lockout](auditing/audit-account-lockout.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-##### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
-###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
-##### [Audit Group Membership](auditing/audit-group-membership.md)
-###### [Event 4627 S: Group membership information.](auditing/event-4627.md)
-##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
-##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
-##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
-##### [Audit Logoff](auditing/audit-logoff.md)
-###### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
-###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
-##### [Audit Logon](auditing/audit-logon.md)
-###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
-###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
-###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
-###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
-##### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
-##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
-###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
-###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
-###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
-###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
-###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
-###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
-###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
-###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
-###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
-###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
-##### [Audit Special Logon](auditing/audit-special-logon.md)
-###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
-###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
-##### [Audit Application Generated](auditing/audit-application-generated.md)
-##### [Audit Certification Services](auditing/audit-certification-services.md)
-##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
-###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
-##### [Audit File Share](auditing/audit-file-share.md)
-###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
-###### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
-###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
-###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
-###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
-##### [Audit File System](auditing/audit-file-system.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-###### [Event 5051: A file was virtualized.](auditing/event-5051.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
-###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
-###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
-###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
-###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
-###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
-###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
-###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
-###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
-###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
-##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
-###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
-###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
-##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
-###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
-##### [Audit Kernel Object](auditing/audit-kernel-object.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
-###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
-###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
-###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
-###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
-###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
-###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
-###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
-###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
-###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
-###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
-###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
-###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
-##### [Audit Registry](auditing/audit-registry.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
-###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
-###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-##### [Audit Removable Storage](auditing/audit-removable-storage.md)
-##### [Audit SAM](auditing/audit-sam.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
-##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
-###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
-##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
-###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
-###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
-###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
-###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
-###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
-###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
-###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
-###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
-###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
-##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
-###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
-###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
-###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
-###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
-###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
-###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
-###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
-###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
-###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
-###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
-###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
-##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
-###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
-###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
-###### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
-###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
-###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
-##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
-##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
-###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
-###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
-###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
-###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
-###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
-###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
-###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
-###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
-###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
-###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
-###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
-###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
-###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
-###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
-##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
-###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
-###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
-###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
-###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
-###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
-###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
-###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
-###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
-###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
-###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
-###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
-###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
-###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
-###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
-###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
-###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
-##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
-##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
-##### [Audit Other System Events](auditing/audit-other-system-events.md)
-###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
-###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
-###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
-###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
-###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
-###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
-###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
-###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
-###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
-###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
-###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
-###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
-###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
-###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
-###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
-###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
-###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
-###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
-###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
-###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
-###### [Event 6407: 1%.](auditing/event-6407.md)
-###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
-###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
-##### [Audit Security State Change](auditing/audit-security-state-change.md)
-###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
-###### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
-###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
-##### [Audit Security System Extension](auditing/audit-security-system-extension.md)
-###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
-###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
-###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
-###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
-###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
-##### [Audit System Integrity](auditing/audit-system-integrity.md)
-###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
-###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
-###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
-###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
-###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
-###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
-###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
-###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
-###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
-###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
-###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
-###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
-##### [Other Events](auditing/other-events.md)
-###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
-###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
-###### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
-###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
-###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
-##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
-##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
-
-## [Security policy settings](security-policy-settings/security-policy-settings.md)
-### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
-#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
-### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
-### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
-#### [Account Policies](security-policy-settings/account-policies.md)
-##### [Password Policy](security-policy-settings/password-policy.md)
-###### [Enforce password history](security-policy-settings/enforce-password-history.md)
-###### [Maximum password age](security-policy-settings/maximum-password-age.md)
-###### [Minimum password age](security-policy-settings/minimum-password-age.md)
-###### [Minimum password length](security-policy-settings/minimum-password-length.md)
-###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
-###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
-##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
-###### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
-###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
-###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
-##### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
-###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
-###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
-###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
-###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
-###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
-#### [Audit Policy](security-policy-settings/audit-policy.md)
-#### [Security Options](security-policy-settings/security-options.md)
-##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
-##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
-##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
-##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
-##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
-##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
-##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
-##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
-##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
-##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
-##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
-##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
-##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
-##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
-##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
-##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
-##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
-##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
-##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
-##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
-##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
-##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
-##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
-##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
-##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
-##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
-##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
-##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
-##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
-##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
-##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
-##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
-##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
-##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
-##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
-##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
-##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
-##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
-##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
-##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
-##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-##### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
-##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
-##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
-##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
-##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
-##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
-##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
-##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
-##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
-##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
-##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
-##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
-##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
-##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
-##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
-##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
-##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
-##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
-##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
-##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
-##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
-##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
-##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
-##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
-##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
-##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
-##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
-##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
-##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
-##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
-##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
-##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
-##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
-##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
-##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
-##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
-##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
-##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
-##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
-##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
-##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
-##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
-##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
-##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
-##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
-##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
-##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
-##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
-##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
-##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
-##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
-#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
-#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
-##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
-##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
-##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
-##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
-##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
-##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
-##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
-##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
-##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
-##### [Change the system time](security-policy-settings/change-the-system-time.md)
-##### [Change the time zone](security-policy-settings/change-the-time-zone.md)
-##### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
-##### [Create a token object](security-policy-settings/create-a-token-object.md)
-##### [Create global objects](security-policy-settings/create-global-objects.md)
-##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
-##### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
-##### [Debug programs](security-policy-settings/debug-programs.md)
-##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
-##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
-##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
-##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
-##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
-##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
-##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
-##### [Generate security audits](security-policy-settings/generate-security-audits.md)
-##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
-##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
-##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
-##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
-##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
-##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
-##### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
-##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
-##### [Modify an object label](security-policy-settings/modify-an-object-label.md)
-##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
-##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
-##### [Profile single process](security-policy-settings/profile-single-process.md)
-##### [Profile system performance](security-policy-settings/profile-system-performance.md)
-##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
-##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
-##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
-##### [Shut down the system](security-policy-settings/shut-down-the-system.md)
-##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
-##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
-## [Windows security baselines](windows-security-baselines.md)
+### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
+
+
+
+
+
+
+### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
+#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
+
+
+## Other security features
+### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
+#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
+#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
+#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
+#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
+#### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
+#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
+#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
+#### [Device security](windows-defender-security-center\wdsc-device-security.md)
+#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
+#### [Family options](windows-defender-security-center\wdsc-family-options.md)
+
+
+### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
+
+
+### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+
+
+### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+
+### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+### [Security auditing](auditing/security-auditing-overview.md)
+
+#### [Basic security audit policies](auditing/basic-security-audit-policies.md)
+##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
+##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
+##### [View the security event log](auditing/view-the-security-event-log.md)
+
+##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
+###### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
+###### [Audit account management](auditing/basic-audit-account-management.md)
+###### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
+###### [Audit logon events](auditing/basic-audit-logon-events.md)
+###### [Audit object access](auditing/basic-audit-object-access.md)
+###### [Audit policy change](auditing/basic-audit-policy-change.md)
+###### [Audit privilege use](auditing/basic-audit-privilege-use.md)
+###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
+###### [Audit system events](auditing/basic-audit-system-events.md)
+
+##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+
+###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
+####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
+####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
+####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
+####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
+####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
+####### [Monitor claim types](auditing/monitor-claim-types.md)
+
+###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
+####### [Audit Credential Validation](auditing/audit-credential-validation.md)
+####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
+####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
+####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
+####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
+###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
+####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
+####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
+####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
+###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
+####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
+####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
+####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
+###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
+###### [Audit Application Group Management](auditing/audit-application-group-management.md)
+###### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
+####### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
+####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
+####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
+###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
+####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
+####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
+####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
+####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
+####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
+###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
+####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
+###### [Audit Security Group Management](auditing/audit-security-group-management.md)
+####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
+####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
+####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
+####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
+####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
+####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
+###### [Audit User Account Management](auditing/audit-user-account-management.md)
+####### [Event 4720 S: A user account was created.](auditing/event-4720.md)
+####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
+####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
+####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
+####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
+####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
+####### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
+####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
+####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
+####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
+####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
+####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
+####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
+####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
+####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
+####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
+###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
+####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
+####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
+####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
+####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
+###### [Audit PNP Activity](auditing/audit-pnp-activity.md)
+####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
+####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
+####### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
+####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
+####### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
+####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
+####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
+###### [Audit Process Creation](auditing/audit-process-creation.md)
+####### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
+####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
+###### [Audit Process Termination](auditing/audit-process-termination.md)
+####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
+###### [Audit RPC Events](auditing/audit-rpc-events.md)
+####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
+####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
+####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
+####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
+####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
+####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
+####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
+####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
+####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
+###### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
+####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
+####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
+####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
+####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
+####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
+####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
+###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
+####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
+####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
+###### [Audit Account Lockout](auditing/audit-account-lockout.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+###### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
+####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
+###### [Audit Group Membership](auditing/audit-group-membership.md)
+####### [Event 4627 S: Group membership information.](auditing/event-4627.md)
+###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
+###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
+###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
+###### [Audit Logoff](auditing/audit-logoff.md)
+####### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
+####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
+###### [Audit Logon](auditing/audit-logon.md)
+####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
+####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
+####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
+###### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
+###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
+####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
+####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
+####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
+####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
+####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
+####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
+####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
+####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
+####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
+####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
+###### [Audit Special Logon](auditing/audit-special-logon.md)
+####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
+####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
+###### [Audit Application Generated](auditing/audit-application-generated.md)
+###### [Audit Certification Services](auditing/audit-certification-services.md)
+###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
+####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
+###### [Audit File Share](auditing/audit-file-share.md)
+####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
+####### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
+####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
+####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
+####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
+###### [Audit File System](auditing/audit-file-system.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+####### [Event 5051: A file was virtualized.](auditing/event-5051.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
+####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
+####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
+####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
+####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
+####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
+####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
+####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
+####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
+####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
+###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
+####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
+####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
+###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
+####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
+###### [Audit Kernel Object](auditing/audit-kernel-object.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
+####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
+####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
+####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
+####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
+####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
+####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
+####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
+####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
+####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
+####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
+####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
+####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
+###### [Audit Registry](auditing/audit-registry.md)
+####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+####### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
+####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Audit Removable Storage](auditing/audit-removable-storage.md)
+###### [Audit SAM](auditing/audit-sam.md)
+####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
+####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
+###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
+####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
+####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
+####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
+####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
+####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
+####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
+####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
+####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
+####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
+###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
+####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
+####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
+####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
+####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
+####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
+####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
+####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
+####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
+####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
+####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
+####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
+###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
+####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
+####### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
+####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
+####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
+###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
+###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
+####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
+####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
+####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
+####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
+####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
+####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
+####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
+####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
+####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
+####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
+####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
+####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
+####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
+####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
+###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
+####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
+####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
+####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
+####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
+####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
+####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
+####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
+####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
+####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
+####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
+####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
+####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
+####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
+####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
+####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
+####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
+###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
+####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
+####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
+###### [Audit Other System Events](auditing/audit-other-system-events.md)
+####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
+####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
+####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
+####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
+####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
+####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
+####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
+####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
+####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
+####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
+####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
+####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
+####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
+####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
+####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
+####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
+####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
+####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
+####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
+####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
+####### [Event 6407: 1%.](auditing/event-6407.md)
+####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
+####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
+###### [Audit Security State Change](auditing/audit-security-state-change.md)
+####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
+####### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
+####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
+###### [Audit Security System Extension](auditing/audit-security-system-extension.md)
+####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
+####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
+####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
+####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
+####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
+###### [Audit System Integrity](auditing/audit-system-integrity.md)
+####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
+####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
+####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
+####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
+####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
+####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
+####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
+####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
+####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
+####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
+####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
+####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
+###### [Other Events](auditing/other-events.md)
+####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
+####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
+####### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
+####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
+####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
+###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+###### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
+###### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
+
+
+
+
+
+#### [Security policy settings](security-policy-settings/security-policy-settings.md)
+#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
+##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
+#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
+#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
+##### [Account Policies](security-policy-settings/account-policies.md)
+###### [Password Policy](security-policy-settings/password-policy.md)
+####### [Enforce password history](security-policy-settings/enforce-password-history.md)
+####### [Maximum password age](security-policy-settings/maximum-password-age.md)
+####### [Minimum password age](security-policy-settings/minimum-password-age.md)
+####### [Minimum password length](security-policy-settings/minimum-password-length.md)
+####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
+####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
+###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
+####### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
+####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
+####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
+###### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
+####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
+####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
+####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
+####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
+####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
+##### [Audit Policy](security-policy-settings/audit-policy.md)
+##### [Security Options](security-policy-settings/security-options.md)
+###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
+###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
+###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
+###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
+###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
+###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
+###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
+###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
+###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
+###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
+###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
+###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
+###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
+###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
+###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
+###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
+###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
+###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
+###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
+###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
+###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
+###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
+###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
+###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
+###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
+###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
+###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
+###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
+###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
+###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
+###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
+###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
+###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
+###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
+###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
+###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
+###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md)
+###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
+###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
+###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
+###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
+###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
+###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
+###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
+###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
+###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
+###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
+###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
+###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
+###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
+###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
+###### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
+###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
+###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
+###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
+###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
+###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
+###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
+###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
+###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
+###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
+###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
+###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
+###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
+###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
+###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
+###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
+###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
+###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
+###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
+###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
+###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
+###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
+###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
+###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
+###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
+###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
+###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
+###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
+###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
+##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
+##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
+###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
+###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
+###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
+###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
+###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
+###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
+###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
+###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
+###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
+###### [Change the system time](security-policy-settings/change-the-system-time.md)
+###### [Change the time zone](security-policy-settings/change-the-time-zone.md)
+###### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
+###### [Create a token object](security-policy-settings/create-a-token-object.md)
+###### [Create global objects](security-policy-settings/create-global-objects.md)
+###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
+###### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
+###### [Debug programs](security-policy-settings/debug-programs.md)
+###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
+###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
+###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
+###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
+###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
+###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
+###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
+###### [Generate security audits](security-policy-settings/generate-security-audits.md)
+###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
+###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
+###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
+###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
+###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
+###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
+###### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
+###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
+###### [Modify an object label](security-policy-settings/modify-an-object-label.md)
+###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
+###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
+###### [Profile single process](security-policy-settings/profile-single-process.md)
+###### [Profile system performance](security-policy-settings/profile-system-performance.md)
+###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
+###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
+###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
+###### [Shut down the system](security-policy-settings/shut-down-the-system.md)
+###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
+###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
+
+
+
+
+
+
+### [Windows security baselines](windows-security-baselines.md)
### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
### [Get support](get-support-for-security-baselines.md)
-## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
+### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
## [Change history for Threat protection](change-history-for-threat-protection.md)
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 3683fa438c..831cb9ee9c 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 07/16/2018
---
# Audit Account Lockout
@@ -19,7 +19,7 @@ ms.date: 04/19/2017
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
-If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
+If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index e9a0c01254..9c9b76a014 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 07/16/2018
---
# Audit Logoff
@@ -25,15 +25,15 @@ There is no failure event in this subcategory because failed logoffs (such as wh
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
-**Event volume**: Low.
+**Event volume**: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png
new file mode 100644
index 0000000000..60725244e5
Binary files /dev/null and b/windows/security/threat-protection/images/wdatp-pillars2.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index f2c623bd85..b589ac9a69 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -10,19 +10,27 @@ ms.date: 02/05/2018
---
# Threat Protection
+Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
+
+
+
+The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
+
+**Attack surface reduction**
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+
+**Next generation protection**
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
+
+**Endpoint protection and response**
+Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
+
+**Auto investigation and remediation**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+
+**Security posture**
+Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
+
+
-Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-| Section | Description |
-|-|-|
-|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
-|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
-|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
-|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
-|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
-|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
-|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
-|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
-|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index c50b81aaaf..871e2e7d7f 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 07/13/2017
---
# Increase scheduling priority
@@ -33,7 +33,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Best practices
-- Allow the default value, Administrators, as the only account responsible for controlling process scheduling priorities.
+- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities.
### Location
@@ -48,11 +48,11 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
-| Default Domain Controller Policy| Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group|
+| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group|
+| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group|
+| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|
## Policy management
@@ -83,11 +83,11 @@ A user who is assigned this user right could increase the scheduling priority of
### Countermeasure
-Verify that only Administrators have the **Increase scheduling priority** user right assigned to them.
+Verify that only Administrators and and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them.
### Potential impact
-None. Restricting the **Increase scheduling priority** user right to members of the Administrators group is the default configuration.
+None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and and Window Manager/Window Manager Group is the default configuration.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index b019f68b3c..2754f9f13f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: jsuther1974
-ms.date: 07/10/2018
+ms.date: 07/16/2018
---
# Microsoft recommended block rules
@@ -762,6 +762,12 @@ Microsoft recommends that you block the following Microsoft-signed applications
-->
+
+
+
+
+
@@ -1391,7 +1397,8 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index a8defba7ee..fa8be23611 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,4 +1,4 @@
-# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+# [Windows Defender Security Center](windows-defender-security-center-atp.md)
##Get started
### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
@@ -21,7 +21,7 @@
### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
+## [Understand the portal](use-windows-defender-advanced-threat-protection.md)
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
@@ -77,6 +77,7 @@
#### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
#### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+## [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
##API and SIEM support
### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
@@ -165,7 +166,7 @@
### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
-## [Configure Windows Defender ATP Settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
###General
#### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
@@ -173,7 +174,7 @@
#### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
#### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
#### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
-#### [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
+
###Permissions
#### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
@@ -193,9 +194,9 @@
#### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
-## [Configure Windows Defender ATP time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md)
## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
-## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
-## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 28dc66fbb4..b414111b05 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -71,7 +71,7 @@ When you complete the integration steps on both portals, you'll be able to see r
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
+When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 2888e97c54..2ebe1dceb6 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -40,6 +40,9 @@ To effectively build queries that span multiple tables, you need to understand t
| AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
+| DefaultGateways | string | Default gateway addresses in JSON array format |
+| DnsServers | string | DNS server addresses in JSON array format |
| EventTime | datetime | Date and time when the event was recorded |
| EventType | string | Table where the record is stored |
| FileName | string | Name of the file that the recorded action was applied to |
@@ -64,15 +67,22 @@ To effectively build queries that span multiple tables, you need to understand t
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
+| Ipv4Dhcp | string | IPv4 address of DHCP server |
+| Ipv6Dhcp | string | IPv6 address of DHCP server |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| LogonType | string | Type of logon session, specifically:
- **Interactive** - User physically interacts with the machine using the local keyboard and screen
- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients
- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed
- **Batch** - Session initiated by scheduled tasks
- **Service** - Session initiated by services as they start
+| MacAddress | string | MAC address of the network adapter |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MachineId | string | Unique identifier for the machine in the service |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| NetworkAdapterName | string | Name of the network adapter |
+| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
+| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine |
@@ -99,6 +109,7 @@ To effectively build queries that span multiple tables, you need to understand t
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example:
- Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP)
- VPN (PPTP, SSTP)
- SSH
**NOTE:** This field doesn’t provide full IP tunneling specifications. |
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index f86299df06..538e981c02 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -134,7 +134,7 @@ These steps guide you on modifying and overwriting an existing query.
The result set has several capabilities to provide you with effective investigation, including:
-- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
+- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 8f108fac32..677b25564f 100644
--- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Windows Defender ATP alert API fields
-description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
+description: Understand how the alert API fields map to the values in Windows Defender Security Center
keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -28,7 +28,7 @@ ms.date: 10/16/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
## Alert API fields and portal mapping
diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 0be5072e10..e948d94905 100644
--- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Assign user access to the Windows Defender ATP portal
+title: Assign user access to Windows Defender Security Center
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
ms.date: 04/24/2018
---
-# Assign user access to the Windows Defender ATP portal
+# Assign user access to Windows Defender Security Center
**Applies to:**
- Windows 10 Enterprise
diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
index 72c39bb7dd..295192756c 100644
--- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
@@ -30,7 +30,7 @@ There are several spaces you can explore to learn about specific information:
There are several ways you can access the Community Center:
-- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page.
+- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page.
- Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
index 1443633294..432cfcfa13 100644
--- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
@@ -88,13 +88,13 @@ You need to make sure that all your devices are enrolled in Intune. You can use
-There are steps you'll need to take in the Windows Defender ATP portal, the Intune portal, and Azure AD portal.
+There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
> [!NOTE]
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
Take the following steps to enable conditional access:
-- Step 1: Turn on the Microsoft Intune connection from the Windows Defender ATP portal
+- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
- Step 2: Turn on the Windows Defender ATP integration in Intune
- Step 3: Create the compliance policy in Intune
- Step 4: Assign the policy
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index 6854feeff6..c4633c09c3 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Configure HP ArcSight to pull Windows Defender ATP alerts
-description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
+description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 755d61b729..1ebb14a664 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 06/18/2018
+ms.localizationpriority: high
+ms.date: 07/16/2018
---
# Configure alert notifications in Windows Defender ATP
@@ -24,7 +24,6 @@ ms.date: 06/18/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
@@ -50,7 +49,9 @@ You can create rules that determine the machines and alert severities to send em
2. Click **Add notification rule**.
3. Specify the General information:
- - **Rule name**
+ - **Rule name** - Specify a name for the notification rule.
+ - **Include organization name** - Specify the customer name that appears on the email notification.
+ - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
- **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
- **Alert severity** - Choose the alert severity level
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 4d3e7b1cbb..980252189b 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -34,7 +34,7 @@ ms.date: 04/24/2018
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
## Onboard machines using Group Policy
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -64,7 +64,7 @@ ms.date: 04/24/2018
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
## Additional Windows Defender ATP configuration settings
-For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
@@ -120,7 +120,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@@ -154,7 +154,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
-1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+1. Go to [Windows Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 9decf3868e..83f63e9c62 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -54,7 +54,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
- - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from the Windows Defender ATP portal, and add it. Otherwise, skip this property.
+ - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property.
7. Select **OK**, and **Create** to save your changes, which creates the profile.
@@ -62,7 +62,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
### Onboard and monitor machines using the classic Intune console
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -145,7 +145,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
index ae90065fd3..71b333c546 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ ms.date: 04/24/2018
-Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data.
+Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data.
You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 04552bb241..cbc1b85dda 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ You can use existing System Center Configuration Manager functionality to create
### Onboard machines using System Center Configuration Manager
-1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -70,7 +70,7 @@ You can use existing System Center Configuration Manager functionality to create
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
### Configure sample collection settings
-For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint.
@@ -125,7 +125,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 1ccd8fbdf2..8236a40cf4 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -34,7 +34,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
## Onboard machines
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -66,7 +66,7 @@ For information on how you can manually validate that the machine is compliant a
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
-For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
+For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
@@ -92,7 +92,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
-1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@@ -126,7 +126,7 @@ You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
-1. Go to the Windows Defender ATP portal.
+1. Go to Windows Defender Security Center.
2. Click **Machines list**.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index c26f608d94..7f15b0fc5c 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -38,7 +38,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@@ -78,8 +78,8 @@ You can onboard VDI machines using a single entry or multiple entries for each m
d. Logon to machine with another user.
- e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.
- **For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
+ e. **For single entry for each machine**: Check only one entry in Windows Defender Security Center.
+ **For multiple entries for each machine**: Check multiple entries in Windows Defender Security Center.
7. Click **Machines list** on the Navigation pane.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 1866f253bb..c0ae298a7a 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 07/12/2018
---
# Onboard Windows 10 machines
@@ -27,7 +27,7 @@ ms.date: 04/24/2018
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
-Windows Defender ATP supports the following deployment tools and methods:
+The following deployment tools and methods are supported:
- Group Policy
- System Center Configuration Manager
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 0941965015..22fd6a1f44 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -91,9 +91,9 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | Microsoft.com DNS record
:---|:---
Common URLs for all locations | ```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
-US | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
-Europe | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
-UK | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
+European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
+United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
+United States | ```us.vortex-win.data.microsoft.com```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index e174b920d6..5947c3167a 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ ms.date: 05/08/2018
Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
-Windows Defender ATP supports the onboarding of the following servers:
+The service supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index a7014a264b..f499b17917 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -57,6 +57,6 @@ Topic | Description
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
-[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 922db1acba..ed37cdaedb 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Configure Splunk to pull Windows Defender ATP alerts
-description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
+description: Configure Splunk to receive and pull alerts from Windows Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 4274ab7f39..43933756ec 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -135,7 +135,7 @@ Content-Type: application/json;
}
```
-The following values correspond to the alert sections surfaced on the Windows Defender ATP portal:
+The following values correspond to the alert sections surfaced on Windows Defender Security Center:
Highlighted section | JSON key name
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index b77656d1fc..1d1154af3b 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
-Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
+Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center.
1. In the navigation pane, select **Settings** > **Threat intel**.
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 6ad34e8a8f..44e55b2b9b 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
+Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Settings** > **SIEM**.
@@ -55,7 +55,7 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
-You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
+You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center.
diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index bbbdb8c3b5..137a1b8070 100644
--- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -139,7 +139,7 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
-1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
+1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser.
2. Log in with your Windows Defender ATP credentials.
diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index e0888ae096..8d04e19940 100644
--- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -37,7 +37,7 @@ An inactive machine is not necessarily flagged due to an issue. The following ac
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal.
**Machine was reinstalled or renamed**
-A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
+A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
**Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
diff --git a/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png
new file mode 100644
index 0000000000..51f4335265
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/components.png b/windows/security/threat-protection/windows-defender-atp/images/components.png
index 04ab864727..0ddc52f5d3 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/components.png and b/windows/security/threat-protection/windows-defender-atp/images/components.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png
new file mode 100644
index 0000000000..06ad5e6ed2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png
new file mode 100644
index 0000000000..60725244e5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
index ee311f4d0e..778f8d48b4 100644
--- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -50,9 +50,9 @@ To gain access into which licenses are provisioned to your company, and to check
-## Access the Windows Defender ATP portal for the first time
+## Access Windows Defender Security Center for the first time
-When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
+When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
@@ -64,7 +64,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
- You will need to set up your preferences for the Windows Defender ATP portal.
+ You will need to set up your preferences for Windows Defender Security Center.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
@@ -108,11 +108,11 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE]
- > Some of these options can be changed at a later time in the Windows Defender ATP portal.
+ > Some of these options can be changed at a later time in Windows Defender Security Center.
-9. A dedicated cloud instance of the Windows Defender ATP portal is being created at this time. This step will take an average of 5 minutes to complete.
+9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete.
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 7f2592ffce..4860f91956 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -57,7 +57,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane.
## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
+There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 0316cfd397..2c3da444dd 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 06/15/2018
+ms.localizationpriority: high
+ms.date: 07/01/2018
---
# Minimum requirements for Windows Defender ATP
@@ -23,17 +23,11 @@ ms.date: 06/15/2018
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
There are some minimum requirements for onboarding machines to the service.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
-## Minimum requirements
-You must be on Windows 10, version 1607 at a minimum.
-For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
-
-### Licensing requirements
+## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
@@ -42,105 +36,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
-### Browser requirements
-Internet Explorer and Microsoft Edge are supported. Any HTML5 compliant browsers are also supported.
-
-### Network and data storage and configuration requirements
-When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
-
-> [!NOTE]
-> - You cannot change your data storage location after the first-time setup.
-> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
-
-### Hardware and software requirements
-
-The Windows Defender ATP agent only supports the following editions of Windows 10:
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-
-Machines on your network must be running one of these editions.
-
-The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions.
-
-> [!NOTE]
-> Machines that are running mobile versions of Windows are not supported.
-
-#### Internet connectivity
-Internet connectivity on machines is required either directly or through proxy.
-
-The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
-
-For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
-
-Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-
-
-### Diagnostic data settings
-You must ensure that the diagnostic data service is enabled on all the machines in your organization.
-By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
-
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
-
-1. Open an elevated command-line prompt on the machine:
-
- a. Go to **Start** and type **cmd**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
-If the service is enabled, then the result should look like the following screenshot:
-
-
-
-If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
-
-
-
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the endpoint:
-
- a. Go to **Start** and type **cmd**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc config diagtrack start=auto
- ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
-## Windows Defender Antivirus signature updates are configured
-The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
-
-You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
-
-When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
-
-Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
-
-For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-
-## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
-If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.
-
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
## Related topic
- [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 1c84acc786..97d408e645 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 06/19/2018
+ms.localizationpriority: high
+ms.date: 07/01/2018
---
# Onboard machines to the Windows Defender ATP service
@@ -18,14 +18,14 @@ ms.date: 06/19/2018
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
You need to onboard machines to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@@ -60,11 +60,77 @@ The hardware requirements for Windows Defender ATP on machines is the same as th
### Other supported operating systems
+- macOSX
+- Linux
+
>[!NOTE]
>You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.
-- macOS X
-- Linux
+
+### Network and data storage and configuration requirements
+When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
+
+> [!NOTE]
+> - You cannot change your data storage location after the first-time setup.
+> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
+
+
+### Diagnostic data settings
+You must ensure that the diagnostic data service is enabled on all the machines in your organization.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
+
+**Use the command line to check the Windows 10 diagnostic data service startup type**:
+
+1. Open an elevated command-line prompt on the machine:
+
+ a. Go to **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc qc diagtrack
+ ```
+
+If the service is enabled, then the result should look like the following screenshot:
+
+
+
+If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
+
+
+
+**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
+
+1. Open an elevated command-line prompt on the endpoint:
+
+ a. Go to **Start** and type **cmd**.
+
+ b. Right-click **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```text
+ sc config diagtrack start=auto
+ ```
+
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+
+ ```text
+ sc qc diagtrack
+ ```
+
+
+
+#### Internet connectivity
+Internet connectivity on machines is required either directly or through proxy.
+
+The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
+
+For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
+
+Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
## Windows Defender Antivirus configuration requirement
@@ -79,14 +145,19 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
+If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.
+
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+
## In this section
Topic | Description
:---|:---
-[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP.
-[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP.
-[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
+[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
+[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
+[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index ebbbabf5d5..bbee7b2a62 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection portal overview
-description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
-keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
+description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
+keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,14 +27,14 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
+Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
-You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
+You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to:
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
- Change Windows Defender ATP settings, including time zone and review licensing information.
-## Windows Defender ATP portal
+## Windows Defender Security Center
When you open the portal, you’ll see the main areas of the application:
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index c31724c417..ee949dfc75 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -35,7 +35,7 @@ You can easily get started by:
- Creating a dashboard on the Power BI service
- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
-You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported.
+You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
## Create a Windows Defender ATP dashboard on Power BI service
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index a9f374c00d..769e84dfb8 100644
--- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender ATP settings
+title: Configure Windows Defender Security Center settings
description: Use the settings page to configure general settings, permissions, apis, and rules.
keywords: settings, general settings, permissions, apis, rules
search.product: eADQiWindows 10XVcnh
@@ -12,7 +12,7 @@ author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
---
-# Configure Windows Defender ATP settings
+# Configure Windows Defender Security Center settings
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index e3ead52979..aab70fb694 100644
--- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Pull Windows Defender ATP alerts using REST API
-description: Pull alerts from the Windows Defender ATP portal REST API.
+description: Pull alerts from Windows Defender ATP REST API.
keywords: alerts, pull alerts, rest api, request, response
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
index 0fc53246c7..6c6e1ced73 100644
--- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Use role-based access control to grant fine-grained access to the Windows Defender ATP portal
+title: Use role-based access control to grant fine-grained access to Windows Defender Security Center
description: Create roles and groups within your security operations to grant access to the portal.
keywords: rbac, role, based, access, control, groups, control, tier, aad
search.product: eADQiWindows 10XVcnh
@@ -57,12 +57,12 @@ Before using RBAC, it's important that you understand the roles that can grant p
> [!WARNING]
> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
-When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
+When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments
> [!WARNING]
-> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
+> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
>
> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.**
>
diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
index 36a1a0a80b..e9cb11bc67 100644
--- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
-title: Windows Defender Advanced Threat Protection time zone settings
+title: Windows Defender Security Center time zone settings
description: Use the menu to configure the time zone and view license information.
-keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
+keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
ms.date: 02/13/2018
---
-# Windows Defender Advanced Threat Protection time zone settings
+# Windows Defender Security Center time zone settings
**Applies to:**
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
index 7bc886f9c7..ef5f861a65 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
@@ -29,11 +29,11 @@ ms.date: 11/28/2017
This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
-If you receive an error message, the Windows Defender ATP portal will provide a detailed explanation on what the issue is and relevant links will be supplied.
+If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
## No subscriptions found
-If while accessing the Windows Defender ATP portal you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
+If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
Potential reasons:
- The Windows E5 and Office E5 licenses are separate licenses.
@@ -48,7 +48,7 @@ For both cases you should contact Microsoft support at [General Windows Defender
## Your subscription has expired
-If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
+If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 6a78b01173..37aca9ce88 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Troubleshoot Windows Defender Advanced Threat Protection
+title: Troubleshoot Windows Defender Advanced Threat Protection service issues
description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
search.product: eADQiWindows 10XVcnh
@@ -10,17 +10,12 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 10/23/2017
+ms.date: 07/12/2017
---
-# Troubleshoot Windows Defender Advanced Threat Protection
+# Troubleshoot service issues
**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -32,7 +27,7 @@ If you encounter a server error when trying to access the service, you’ll need
Configure your browser to allow cookies.
### Elements or data missing on the portal
-If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it.
+If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it.
Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index f394f62b34..b8fed131a5 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -36,7 +36,7 @@ You can use the code examples to guide you in creating calls to the custom threa
Topic | Description
:---|:---
[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization.
-[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API.
+[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Windows Defender Security Center so that you can create custom threat intelligence (TI) using REST API.
[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index e875c22f43..07cec03da7 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Use the Windows Defender Advanced Threat Protection portal
-description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
+description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -27,7 +27,7 @@ ms.date: 03/12/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
-You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards.
+You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards.
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index ee4cd6878f..07eee21200 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Advanced Threat Protection
-description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
+title: Windows Defender Advanced Threat Protection
+description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats.
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -9,18 +9,13 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.localizationpriority: high
+ms.date: 07/12/2018
---
# Windows Defender Advanced Threat Protection
**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -29,78 +24,22 @@ ms.date: 04/24/2018
>
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
-Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
+Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
+To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center.
-Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
- collect and process behavioral signals from the operating system
- (for example, process, registry, file, and network communications)
- and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
-
-
-- **Cloud security analytics**: Leveraging big-data, machine-learning, and
- unique Microsoft optics across the Windows ecosystem (such as the
- [Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx),
- enterprise cloud products (such as Office 365), and online assets
- (such as Bing and SmartScreen URL reputation), behavioral signals
- are translated into insights, detections, and recommended responses
- to advanced threats.
-
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
- and augmented by threat intelligence provided by partners, threat
- intelligence enables Windows Defender ATP to identify attacker
- tools, techniques, and procedures, and generate alerts when these
- are observed in collected sensor data.
-
- 
-
-Machine investigation capabilities in this service let you drill down
-into security alerts and understand the scope and nature of a potential
-breach. You can submit files for deep analysis and receive the results
-without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com). The automated investigation and remediation capability reduces the volume of alerts by leveraging various inspection algorithms to resolve breaches.
-
-Windows Defender ATP works with existing Windows security technologies
-on machines, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It
-can also work side-by-side with third-party security solutions and
-antimalware products.
-
-Windows Defender ATP leverages Microsoft technology and expertise to
-detect sophisticated cyber-attacks, providing:
-
-- Behavior-based, cloud-powered, advanced attack detection
-
- Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on machines.
-
-- Rich timeline for forensic investigation and mitigation
-
- Easily investigate the scope of breach or suspected behaviours on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.
-
-- Built in unique threat intelligence knowledge base
-
- Unparalleled threat optics provides actor details and intent context for every threat intel-based detection – combining first and third-party intelligence sources.
-
-- Automated investigation and remediation
-
- Significantly reduces alert volume by leveraging inspection algorithms used by analysts to examine alerts and take remediation action.
+The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization's network.
## In this section
Topic | Description
:---|:---
-Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
-[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
-[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
-Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
-API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.
-Reporting | Create and build Power BI reports using Windows Defender ATP data.
-Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
-[Configure Windows Defender settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
-[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product.
-[Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
-[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Understand how Windows Defender Antivirus integrates with Windows Defender ATP.
+[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
+[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
+[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel).
+[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
+
## Related topic
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
new file mode 100644
index 0000000000..244a14ea0d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
@@ -0,0 +1,38 @@
+---
+title: Windows Defender Security Center
+description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection.
+keywords: windows, defender, security, center, defender, advanced, threat, protection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/01/2018
+---
+
+# Windows Defender Security Center
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
+
+## In this section
+
+Topic | Description
+:---|:---
+Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
+[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
+[Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
+Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
+API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center.
+Reporting | Create and build Power BI reports using Windows Defender ATP data.
+Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
+[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
+[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product.
+[Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
+
diff --git a/windows/security/wdatp/images/WDATP-components.png b/windows/security/wdatp/images/WDATP-components.png
new file mode 100644
index 0000000000..51f4335265
Binary files /dev/null and b/windows/security/wdatp/images/WDATP-components.png differ
diff --git a/windows/security/wdatp/images/wdatp-pillars.png b/windows/security/wdatp/images/wdatp-pillars.png
new file mode 100644
index 0000000000..06ad5e6ed2
Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars.png differ
diff --git a/windows/security/wdatp/images/wdatp-pillars2.png b/windows/security/wdatp/images/wdatp-pillars2.png
new file mode 100644
index 0000000000..bbe88f3638
Binary files /dev/null and b/windows/security/wdatp/images/wdatp-pillars2.png differ
diff --git a/windows/security/wdatp/index.md b/windows/security/wdatp/index.md
new file mode 100644
index 0000000000..cb401fa3e4
--- /dev/null
+++ b/windows/security/wdatp/index.md
@@ -0,0 +1,48 @@
+---
+title: Windows Defender Advanced Threat Protection
+description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
+keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.date: 06/04/2018
+---
+
+# Windows Defender Advanced Threat Protection
+
+Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats.
+
+
+
+
+**Attack surface reduction**
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+
+**Next generation protection**
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
+
+**Endpoint detection and response**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
+
+**Auto investigation and remediation**
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+
+**Security posture**
+Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
+
+**Management and APIs**
+Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and automate workflows.
+
+Understand how capabilities align within the Windows Defender ATP suite offering:
+
+
+ Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture
+:---|:---|:---|:---|:---
+ [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)
[Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
[Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)
[Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)
[Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
[Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
[Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
[Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) | [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)
[Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
[Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)
[Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)
[Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)
[Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)
[Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)
[Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)
[Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
+
+These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index).
+
+