Merge branch 'device-guard' of https://cpubwin.visualstudio.com/_git/it-client into vsts12911015

2025-05-15 14:57:23 +00:00 · 2017-10-11 09:22:45 -07:00 · 2017-10-11 09:22:45 -07:00 · 4ec6628a97
commit 4ec6628a97
parent 224e4060c1 27118c7115
106 changed files with 1048 additions and 1387 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -76,6 +76,11 @@
 "redirect_document_id": true
 },
 {
 "source_path": "devices/surface/surface-diagnostic-toolkit.md",
 "redirect_url": "/surface/index",
 "redirect_document_id": true
 },
 {
 "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
 "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting",
 "redirect_document_id": true
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 09/25/2017
+ms.date: 10/05/2017
 ms.localizationpriority: medium
 ---
@ -16,6 +16,12 @@ ms.localizationpriority: medium
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 ## Octoboer 2017
 New or changed topic | Description |
 --- | ---
 [Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md) | Updated instructions to use Windows Team device family
 ## September 2017
 New or changed topic | Description
--- a/devices/surface-hub/images/device-family.png
+++ b/devices/surface-hub/images/device-family.png
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub, store
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 10/05/2017
 ms.localizationpriority: medium
 ---
@ -18,8 +18,8 @@ ms.localizationpriority: medium
 You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
 A few things to know about apps on Surface Hub:
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub).
- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family.
 - By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
 - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps.
@ -56,11 +56,12 @@ During app submission, developers need to set **Device family availability** and
 **To set device family availability**  
 1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
 2. Select **Packages**.
-3. Under Device family availability, select these options:
+3. Under **Device family availability**, select these options:
-    - **Windows 10 Desktop** (other device families are optional)
+    
    - **Windows 10 Team**
    - **Let Microsoft decide whether to make the app available to any future device families**
-![Image showing Device family availability page - part of Microsoft Store app submission process.](images/sh-device-family-availability.png)  
+![Image showing Device family availability page - part of Microsoft Store app submission process.](images/device-family.png)  
 For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
@ -126,7 +127,7 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup
 |-----------------------------|----------------------------------------|
 | On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
 | Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
-| Microsoft Intune standalone | No |
+| Microsoft Intune standalone | Yes |
 | Third-party MDM provider    | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
 **To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@ -24,7 +24,6 @@
 ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
 ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
 ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
 ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
 ## [Surface Data Eraser](microsoft-surface-data-eraser.md)
 ## [Top support solutions for Surface devices](support-solutions-surface.md)
 ## [Change history for Surface documentation](change-history-for-surface.md)
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@ -11,6 +11,12 @@ author: jdeckerms
 This topic lists new and updated topics in the Surface documentation library.
 ## October 2017
 New or changed topics | Description 
 --- | ---
 Microsoft Surface Diagnostic Toolkit | Topic removed. The Microsoft Surface Diagnostic Toolkit is no longer available for download.
 ## September 2017
 New or changed topic | Description
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@ -28,7 +28,6 @@ For more information on planning for, deploying, and managing Surface devices in
 | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
 | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
 | [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
 | [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
 | [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
 | [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. |
 | [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@ -34,7 +34,7 @@ Compatible Surface devices include:
 - Surface Pro 4
- Surface Pro3
+- Surface Pro 3
 - Surface 3
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@ -1,563 +0,0 @@
 ---
 title: Microsoft Surface Diagnostic Toolkit (Surface)
 description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
 ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
 keywords: hardware, device, tool, test, component
 ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
 ms.sitesec: library
 author: miladCA
 ---
 # Microsoft Surface Diagnostic Toolkit
 Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
 The [Microsoft Surface Diagnostic Toolkit](https://www.microsoft.com/download/details.aspx?id=46703) is a small, portable diagnostic tool that runs through a suite of tests to diagnose the hardware of Surface devices. The Microsoft Surface Diagnostic Toolkit executable file is less than 3 MB, which allows it to be distributed through email. It does not require installation, so it can be run directly from a USB stick or over the network. The Microsoft Surface Diagnostic Toolkit walks you through several tests of individual components including the touchscreen, cameras, and sensors.
 >[!NOTE]
 >A Surface device must boot into Windows to run the Microsoft Surface Diagnostic Toolkit. The Microsoft Surface Diagnostic Toolkit will run only on the following Surface devices:
 >- Surface Studio
 >- Surface Book
 >- Surface Pro 4
 >- Surface 3 LTE
 >- Surface 3
 >- Surface Pro 3
 >- Surface Pro 2
 >- Surface Pro
 >[!NOTE]
 >Security software and built-in security measures in many email applications and services will block executable files that are transferred through email. To email the Surface Diagnostic Toolkit, attach the archive file (.zip) as downloaded from the Surface Tools for IT page without extracting it first. You can also create a custom .zip archive that contains the .exe file. (For example, if you want to localize the text as described in the [Localization](#localization) section of this article.)
 Running the Microsoft Surface Diagnostic Toolkit is a hands-on activity. The test sequence includes several tests that require you to perform actions or observe the outcome of the test, and then click the applicable **Pass** or **Fail** button. Some tests require connectivity to external devices, like an external display. Other tests use the built in Windows troubleshooters. At the end of testing, a visual report of the test results is displayed and you are given the option to save a log file or copy the results to the clipboard.
 To run a full set of tests with the Microsoft Surface Diagnostic Toolkit, you should be prepared with the following items:
 - An external display with the appropriate HDMI or DisplayPort connection
 - A Bluetooth device that can be put into pairing mode
 - A MicroSD or SD card that is compatible with your Surface device
 - A Surface Pen
 - Room to move the Surface device around
 - External speakers or headphones with a 3.5mm stereo plug
 - A power adapter for your Surface device
 >[!NOTE]
 >The Microsoft Surface Diagnostic Toolkit tests verify only the hardware of a Surface device and do not resolve issues with the operating system or software.
 ## Configure test options
 Before you select the tests you want to run, you can click the Tools ![images\surface-diagnostic-kit-gear-icon.png](images\surface-diagnostic-kit-gear-icon.png) button in the upper right corner of the window (as shown in Figure 1) to access the Options section of the Microsoft Surface Diagnostic Toolkit. In the Options section, you can configure the depth of testing and logs, as well as the save location for log files. You can also create and use additional language files for the dialog of each test.
 ![Tools button highlighted in upper right corner of window](images\surface-diagnostic-kit-fig1-options.png "Tools button highlighted in upper right corner of window")
 *Figure 1. The Tools button highlighted in upper right corner of window*  
 >[!NOTE]
 >Any options you want to select must be specified before you run the tests. You cannot change the test options after the testing sequence has started.
 ####Test depth
 You can quickly select among three modes for testing and diagnostics by using the **Test Depth** page. The **Test Depth** page displays a slider with three possible positions, as shown in Figure 2. These positions determine which tests are run and what information is recorded without requiring you to select specific tests with the **Run Specific Tests** button. The three modes allow you to focus the tests of the Microsoft Surface Diagnostic Toolkit on hardware, software, or both hardware and software.
 ![Screen that displays Test Depth slider to select depth of data collection](images/surface-diagnostic-kit-fig2-testdepth.png "Screen that displays Test Depth slider to select depth of data collection")
 *Figure 2. The Test Depth slider to select the depth of data collection*
 When you select a mode by using the Test Depth slider, a configuration file (.ini) with the same name as the Microsoft Surface Diagnostic Toolkit executable (.exe) file is created in the same folder. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the configuration file will be SurfaceDiagnosticToolkit.ini. When the executable file is run, the options will be automatically set by the configuration file. To run the Microsoft Surface Diagnostic Toolkit in a specific mode on multiple devices, ensure that the .ini file remains in the same folder with the .exe file used on each device.
 When you run the Microsoft Surface Diagnostic Toolkit, you can still use the **Run Specific Tests** button to enable or disable specific tests. The tests selected on the **Please Select Tests to Run** page take priority over the tests enabled or disabled by the mode specified on the **Test Depth** page. When a mode is selected the tests that are applicable to that mode will be enabled by default and the tests that are not required for that mode will be disabled.
 Each mode has a specific focus and records a different level of information in the log files, as follows:
 * **Hardware and Software Focus.** This is the default mode for the Microsoft Surface Diagnostic Toolkit. In this mode all tests that are applicable to the device are run. This mode logs the most information and takes the most time.
 * **Software Experience Focus.** This mode collects information about the device and records it in the log file. No hardware tests are performed in this mode. The following tests are run in this mode:
  * Windows Update Check Test
  * Device Information Test
  * System Assessment Test
  * Crash Dump Collection Test
  * Modern Standby Test
 * **Hardware Validation Focus.** This mode tests the hardware of the device but does not collect system log files or device information. All diagnostic tests relevant to the device hardware are run in this mode. The exact tests that are run will vary from device to device depending on the hardware configuration. This mode logs the least information and requires the least amount of time.
 ####Save location
 Use the **Browse** button on the **Save Location** page to select a default location for the Microsoft Surface Diagnostic Toolkit log files to be saved. When the tests complete the user will still be prompted to save a log file and a log file will not be saved automatically. The user must still click the **Save to File** button to save the log files. As with the Test Depth mode, this save location is stored in the Microsoft Surface Diagnostic Toolkit configuration (.ini) file and if the file does not exist, configuring this option will generate the file.
 ####Additional language
 Refer to the [Localization](#localization) section of this article for information about how to customize the dialog displayed during each test. On the **Additional Language** page, you can generate a localization file that you can use to customize the dialog during each test. You can also specify a specific localization file to be used with the Microsoft Surface Diagnostic Toolkit with the **Browse** button.
 ####Feedback
 You can use the form on the **Feedback** page to inform the product team of any problems that you encounter with the Microsoft Surface Diagnostic Toolkit or to provide any suggestions for how the Microsoft Surface Diagnostic Toolkit could be improved.
 ## The tests
 The Microsoft Surface Diagnostic Toolkit runs several individual tests on a Surface device. Not all tests are applicable to every device. For example, the Home button test is not applicable to Surface Pro 4 where there is no Home button. You can specify which tests to run, or you can choose to run all tests. For tests that require external devices (such as testing output to an external display) but you do not have the required external device at the time of the test, you are given the option to skip the test. If a test fails, you are prompted to continue or stop testing at that time.
 When the testing completes, the **Test Results** page is displayed (as shown in Figure 3) and shows the status of each test: passed, failed, or inconclusive (skipped). You can choose to run the tests again; to save a log file, including any additional log files gathered by tests; or to copy the log file text to the clipboard.
 ![Sample display of Test Results page](images/surface-diagnostic-kit-fig3-results.png "Sample display of Test Results page")
 *Figure 3. View of the results of the tests*
 When the tests have completed, you can also add additional notes to the log files by clicking **Add additional feedback to results ->** on the **Test Results** page. Use the **Type any additional feedback about these tests** field on the **Test Results** page to add your notes, as shown in Figure 4.
 ![Window that shows where you can add notes to a log file](images/surface-diagnostic-kit-fig4-notes.png "Window that shows where you can add notes to a log file")
 *Figure 4. Add notes to the log file*
 Notes that you type on this page are displayed in the log files after the results of the selected tests and before the **Files** section. The section header in the log files for these notes is named **User Feedback**.
 #### Windows Update
 This test checks for any outstanding Windows updates and will prompt you to install those updates before you proceed to other tests. It is important to keep a Surface device up to date with the latest Windows updates, including drivers and firmware for the Surface device. The success of some of the tests that are performed later in the task sequence depend on these updated drivers and firmware. You will be prompted to restart the device if required by Windows Update. If you must restart the device, you will need to start the Microsoft Surface Diagnostic Toolkit again.
 #### Device information
 This test reads the Device ID and serial number in addition to basic system information such as device model, operating system version, processor, memory, and storage. The Device ID is recorded in the name of the log file and can be used to identify a log file for a specific device. Several system log files are also collected, including update and rollback logs, and output from several Windows built-in tools, such as [DirectX Diagnostics](https://support.microsoft.com/en-us/products/windows?os=windows-10) and [System Information](https://technet.microsoft.com/library/cc731397), power configuration, disk health, and event logs. See the following list for a full set of collected log files:
 - Output of **Get-WindowsUpdateLog** if the operating system is Windows 10
 - **%windir%\\Logs**
 - **%windir%\\Panther**
 - **%windir%\\System32\\sysprep\\Panther**
 - **%windir%\\System32\\WinEvt\\Logs**
 - **$windows.~bt\\Sources\\Panther**
 - **$windows.~bt\\Sources\\Rollback**
 - **%windir%\\System32\\WinEvt\\Logs**
 - Output of **dxdiag.exe /t**
 - Output of **msinfo32.exe /report**
 - Output of **powercfg.exe /batteryreport**
 - Output of **powercfg.exe /sleepstudy**
 - Output of **wevtutil.exe epl System**
 - Events from:
    - **Chkdsk**
    - **Microsoft-Windows-Ntfs**
    - **Microsoft-Windows-WER-SystemErrorReporting**
    - **Microsoft-Windows-Startuprepair**
    - **Microsoft-Windows-kernel-Power**
 - Output of **powercfg.exe /q**
 - Output of **powercfg.exe /qh**
 - **%windir%\\Inf\\SetupApi\*.log**
 These files and logs are stored in a .zip file saved by the Microsoft Surface Diagnostic Toolkit when all selected tests have completed alongside the Microsoft Surface Diagnostic Toolkit log file.
 #### Type Cover test
 >[!NOTE]
 >A Surface Type Cover is required for this test.
 If a Surface Type Cover is not detected, the test prompts you to connect the Type Cover. When a Type Cover is detected the test prompts you to use the keyboard and touchpad. The cursor should move while you swipe the touchpad, and the keyboard Windows key should bring up the Start menu or Start screen to successfully pass this test. You can skip this test if a Type Cover is not used with the Surface device.
 #### Integrated keyboard test
 >[!NOTE]
 >This test is only applicable to Surface Book and requires that the Surface Book be docked to the keyboard.
 This test is essentially the same as the Type Cover test, except the integrated keyboard in the Surface Book base is tested rather than the Type Cover. During the first stage of this test a diagram of the keyboard is displayed. When you press a key, the corresponding key will be marked on the diagram. The test will proceed when every key in the diagram is marked. In the second stage of this test, you are prompted to make several gestures on the keypad. As you perform each gesture (for example, a three finger tap), the gesture will be marked on the screen. When you have performed all gestures, the test will automatically complete.
 >[!NOTE]
 >The F-keys on the diagram require that you press the Function (FN) key simultaneously to activate them. By default, these keys perform other actions. For the Home and End keys, you must press the same keys as F8 and F9, but without the Function (FN) key pressed.
 #### Canvas mode battery test
 >[!NOTE]
 >This test is only applicable to Surface Book.
 Depending on which mode Surface Book is in, different batteries are used to power the device. When Surface Book is in clipboard mode (detached form the keyboard) it uses an internal battery, and when it is connected in either laptop mode or canvas mode it uses different connections to the battery in the keyboard. In canvas mode, the screen is connected to the keyboard so that when the device is closed, the screen remains face-up and visible. Connect the Surface Book to the keyboard in this manner for the test to automatically proceed.
 #### Clipboard mode battery test
 >[!NOTE]
 >This test is only applicable to Surface Book.
 Disconnect the Surface Book from the keyboard to work in clipboard mode. In clipboard mode the Surface Book operates from an internal battery that is tested when the Surface Book is disconnected from the keyboard. Disconnecting the Surface Book from the keyboard will also disconnect the Surface Book from power and will automatically begin this test.
 #### Laptop mode battery test
 >[!NOTE]
 >This test is only applicable to Surface Book.
 Connect the Surface Book to the keyboard in the opposite fashion to canvas mode in laptop mode. In laptop mode the screen will face you when the device is open and the device can be used in the same way as any other laptop. Disconnect AC Power from the laptop base when prompted for this test to check the battery status.
 #### Battery test
 In this test the battery is discharged for a few seconds and tested for health and estimated runtime. You are prompted to disconnect the power adapter and then to reconnect the power adapter when the test is complete.
 #### Discrete graphics (dGPU) test
 >[!NOTE]
 >This test is only applicable to Surface Book models with a discrete graphics processor.
 This test will query the device information of current hardware to check for the presence of both the Intel integrated graphics processor in the Surface Book and the NVIDIA discrete graphics processor in the Surface Book keyboard. The keyboard must be attached for this test to function.
 #### Discrete graphics (dGPU) fan test
 >[!NOTE]
 >This test is only applicable to Surface Book models with a discrete graphics processor.
 The discrete graphics processor in the Surface Book includes a separate cooling fan. The fan is turned on automatically by the test for 5 seconds. Listen for the sound of the fan in the keyboard and report if the fan is working correctly when prompted.
 #### Muscle wire test
 >[!NOTE]
 >This test is only applicable to Surface Book.
 To disconnect the Surface Book from the keyboard, software must instruct the muscle wire latch mechanism to open. This is typically accomplished by pressing and holding the undock key on the keyboard. This test sends the same signal to the latch, which unlocks the Surface Book from the Surface Book keyboard. Remove the Surface Book from the keyboard when you are prompted to do so.
 #### Dead pixel and display artifacts tests
 >[!NOTE]
 >Before you run this test, be sure to clean the screen of dust or smudges.
 This test prompts you to view the display in search of malfunctioning pixels. The test displays full-screen, single-color images including black, white, red, green, and blue. Pixels that remain bright or dark when the screen displays an image of a different color indicate a failed test. You should also look for distortion or variance in the color of the screen.
 #### Digitizer edges
 The touchscreen of a Surface device should detect when a user swipes in from the left or right side of the screen. This test prompts you to swipe in from the edges of the screen to bring up the Action Center and Task View. Both Action Center and Task View should launch to pass this test.
 #### Digitizer pinch
 The pinch gesture (when you bring two fingers closer together or farther apart) is used to manipulate zoom and to position content through the touchscreen. This test displays an image in Windows Picture Viewer and prompts you to zoom in, move, and zoom out of the picture. The picture should zoom in, move, and zoom out as the gestures are performed.
 #### Digitizer touch
 The Surface touchscreen should detect input across the entire screen of the device equally. To perform this test a series of lines are displayed on the screen for you to trace with a finger in search of unresponsive areas. The lines traced across the screen should appear continuous for the length of the line as drawn with your finger.
 #### Digitizer pen test
 >[!NOTE]
 >A Microsoft Surface Pen is required for this test.
 This test displays the same lines as those that are displayed during the Digitizer Touch test, but your input is performed with a Surface Pen instead of your finger. The lines should remain unbroken for as long as the Pen is pressed to the screen. Trace all of the lines in the image to look for unresponsive areas across the entire screen of the Surface device.
 #### Digitizer multi touch
 The Surface touchscreen is capable of detecting 10 fingers simultaneously. Place all of your fingers on the screen simultaneously to perform this test. The screen will show the number of points detected, which should match the number of fingers you have on the screen.
 #### Home button test
 The Home button or Windows button on your Surface device is used to bring up the Start screen or Start menu. This test is successful if the Start screen or Start menu is displayed when the Windows button is pressed. This test is not displayed on Surface Pro 4 because no Windows button exists.
 #### Volume rocker test
 This test prompts you to use the volume rocker to turn the volume all the way up, all the way down, and then all the way up again. To pass this test, the volume slider should move up and down as the rocker is pressed.
 #### Micro SD or SD slot test
 >[!NOTE]
 >This test requires a micro SD or SD card that is compatible with the slot in your Surface device.
 Insert a micro SD or SD card when you are prompted. When the SD card is detected, the test prompts you to remove the SD card to ensure that the card is not left in the device. During this test a small file is written to the SD card and then verified. Detection and verification of the SD card automatically passes this test without additional input.
 #### Microphone test
 This test displays a meter that shows the microphone sound level and records audio for a short period of time. Say a few words or make noise and make note that the meter displays the sound level accordingly. A countdown timer is displayed to indicate how much time is remaining for you to record sound. When the countdown timer expires, the recorded audio is played back. Verify that the words or noises sound clear and accurate, and then mark the test as passed or failed depending on the results.
 #### Video out test
 >[!NOTE]
 >This test requires an external display with the applicable connection for your Surface device.
 Surface devices provide a Mini DisplayPort connection for connecting to an external display. Connect your display through the Mini DisplayPort on the device when prompted. The display should be detected automatically and an image should appear on the external display.
 #### Bluetooth test
 >[!NOTE]
 >This test requires a Bluetooth device. The device must be set to pairing mode or made discoverable to perform this test.
 After you receive a prompt to put the device in pairing mode, the test opens the **Add a device** window and begins to search for discoverable Bluetooth devices. Watch the **Add a device** window to verify that your Bluetooth device is detected. Select your Bluetooth device from the list and connect to the device to complete the test.
 #### Camera test
 Use this test to verify that the cameras on your Surface device are operating properly. Images will be displayed from both the front and rear cameras, and the infrared camera on a Surface Pro 4. Continuous autofocus can be enabled on the rear camera. Move the device closer and farther away from an object to verify the operation of continuous autofocus.
 >[!NOTE]
 >You can also use the **Snapshot to Logs** option to save a snapshot of the video output to the log files.
 #### Speaker test
 >[!NOTE]
 >Headphones or external speakers are required to test the headphone jack in this test.
 This test plays audio over left and right channels respectively, both for the internal speakers and for speakers or headphones connected through the headphone jack. Plug in your headphones or speakers to the 3.5mm stereo jack when prompted. The test will automatically detect that a sound playback device has been connected. Mark each channel as a pass or fail as you hear the audio play through the speakers or headphones.
 #### Network test
 >[!NOTE]
 >Connect the Surface device to a Wi-Fi network before you run this test. Connections that are made during the test are removed when the test is completed.
 This test uses the Windows Network Diagnostics built in troubleshooter to diagnose potential issues with network connectivity, including proxy configuration, DNS problems, and IP address conflicts. An event log is saved by this test in Windows logs and is visible in the Windows Event Viewer. The Event ID is 6100.
 #### Power test
 Settings such as display brightness, the elapsed time until the screen sleeps, and the elapsed time until device sleeps, are checked against default values with the Power built-in troubleshooter. The troubleshooter will automatically correct settings that may prevent the device from conserving power or entering sleep mode.
 #### Mobile broadband test
 This test prompts you to enable mobile broadband and attempts to browse to http://www.bing.com. This test is only applicable to Surface devices that come equipped with mobile broadband, such as Surface 3 LTE.
 #### Accelerometer test
 The accelerometer detects lateral, longitudinal, and vertical movements of the Surface device. This test prompts you to pick up and move the Surface device forward and backward, to the left and to the right, and up and down, to test the sensor for directional movement. The test automatically passes when movement is detected.
 #### Gyrometer test
 The gyrometer detects pitch, roll, and yaw movements. This test prompts you to pick up and rotate the Surface device to test the sensors for angular movement. The test automatically passes when movement is detected.
 #### Compass test
 The compass detects which direction the Surface device is facing relative to north, south, east, and west. Turn the Surface device to face in different directions to test the sensor. The test automatically passes when a change in direction is detected.
 #### Ambient light test
 The ambient light sensor is used to automatically adjust screen brightness relative to the ambient lighting in the environment. Turn the device toward or away from a light source to cause the screen to dim or brighten in response increased or decreased light. The test automatically passes when the screen brightness automatically changes.
 >[!NOTE]
 >You can also block the ambient light from the sensor by holding your hand slightly in front of the light sensor, which is located directly next to the camera. Use the provided meter to determine if you are blocking light from the sensor.
 #### Device orientation test
 >[!NOTE]
 >Before you run this test, disable rotation lock from the Action Center if enabled.
 The device orientation sensor determines what the angle of the Surface device is, relative to the ground. Rotate the display 90 degrees or 180 degrees to cause the screen orientation to switch between portrait and landscape mode. If you have a Surface Type Cover or the Surface Book keyboard connected, you will be prompted to disconnect the Surface from the keyboard to allow screen rotation. The test automatically passes when the screen orientation switches.
 #### Brightness test
 This test cycles the screen through brightness levels from 0 percent to 100 percent, and then a message is displayed to confirm if the brightness level changed accordingly. You are then prompted to test for brightness reaction. To test the reaction of brightness when running on battery, disconnect the power adapter. The screen should automatically dim when power is disconnected.
 #### Surface Dock test
 The Microsoft Surface Diagnostic Toolkit uses this test only if a Surface Dock is connected to the device. If a Surface Dock is detected, this test verifies that the Surface Dock driver firmware is updated. For more detailed analysis of Surface Dock firmware status and how to manually initiate the firmware update process, see the [Microsoft Surface Dock Updater](https://technet.microsoft.com/itpro/surface/surface-dock-updater) article.
 #### System assessment
 >[!NOTE]
 >The Surface device must be connected to AC power before you can run this test.
 The Windows System Assessment Tool (WinSAT) runs a series of benchmarks against the processor, memory, video adapter, and storage devices. The results include the processing speed of various algorithms, read and write performance of memory and storage, and performance in several Direct3D graphical tests.
 #### Performance Monitor test
 Performance and diagnostic trace logs are recorded from Performance Monitor for 30 seconds and collected in the .zip file output of the Microsoft Surface Diagnostic Toolkit by this test. You can analyze these trace logs with the [Windows Performance Analyzer](https://msdn.microsoft.com/windows/hardware/commercialize/test/wpt/windows-performance-analyzer) to identify causes of application crashes, performance issues, or other undesirable behavior in Windows.
 #### Crash dump collection
 If your Surface device has encountered an error that caused the device to fail or produce a blue screen error, this stage of the Microsoft Surface Diagnostic Toolkit records the information from the automatically recorded crash dump files in the diagnostic log. You can use these crash dump files to identify a faulty driver, hardware component, or application through analysis. Use the [Windows Debugging Tool](https://msdn.microsoft.com/library/windows/hardware/ff539316) to analyze these files. If you are not familiar with the analysis of crash dump files, you can describe your issue and post a link to your crash dump files (uploaded to OneDrive or another file sharing service) in the [Windows TechNet Forums](https://social.technet.microsoft.com/Forums/home?category=w8itpro).
 #### Connected standby text
 >[!NOTE]
 >This test is only available on Surface devices running Windows 8 or Windows 8.1.
 If connected standby is enabled on the Surface device, this test passes automatically. If connected standby is not enabled, a failure is recorded for this test. Find out more about Connected Standby and Modern Standby at [Modern Standby](https://msdn.microsoft.com/library/windows/hardware/mt282515) on MSDN.
 #### Modern standby test
 >[!NOTE]
 >This test is only available on Surface devices running Windows 10.
 This test records log files of the power configuration for the Surface device using the **powercfg.exe /a** command. The test completes automatically and a failure is only recorded if the command does not run.
 ## Command line
 You can run the Microsoft Surface Diagnostic Toolkit from the command line or as part of a script. The tool supports the following arguments:
 >[!NOTE]
 >Many of the tests performed by the Microsoft Surface Diagnostic Toolkit require technician interaction. The Microsoft Surface Diagnostic Toolkit cannot run unattended.
 #### exclude
 Use this argument to exclude specific tests.
 Example:
 ```
 Surface_Diagnostic_Toolkit_1.0.60.0.exe “exclude=BatteryTest,CameraTest”
 ```
 See the following list for test names:
 -   AccelerometerTest
 -   AmbientLightSensorTest
 -   BatteryTest
 -   BluetoothTest
 -   BrightnessTest
 -   CameraTest
 -   CanvasModeBatteryTest
 -   ChargingTest
 -   ClipboardModeBatteryTest
 -   CrashDumpCollectionTest
 -   DeadPixelDetectionTest
 -   DeviceInformationTest
 -   DeviceOrientationTest
 -   DigitalCompassSensorTest
 -   DigitizerEdgeTest
 -   DigitizerMultiTouchTest
 -   DigitizerPenCoverageTest
 -   DigitizerPinchTest
 -   DigitizerTouchCoverageTest
 -   DisplayArtifactsTest
 -   DualGraphicsTest
 -   FanTest
 -   GyrometerSensorTest
 -   HomeButtonTest
 -   IntegratedKeyboardTest
 -   LaptopModeBatteryTest
 -   MicrophoneTest
 -   MicroSdCardTest
 -   MobileBroadbandTest
 -   MuscleWireTest
 -   NetworkTest
 -   PenTest
 -   PerformanceMonitorTest
 -   PowerTest
 -   SdCardTest
 -   SpeakerTest
 -   SystemAssessmentTest
 -   TypeCoverTest
 -   VideoOutTest
 -   VolumeRockerTest
 -   WindowsUpdateCheckTest
 #### forceplatformsupport
 Use this argument to force tests to run when the make and model of the device is not properly detected by Windows. Surface Diagnostic Toolkit is intended to run only on Surface devices.
 Example:
 ```
 Surface_Diagnostic_Toolkit_1.0.60.0.exe forceplatformsupport
 ```
 #### include
 Use this argument to include tests when you run Microsoft Surface Diagnostic Toolkit from the command line. Tests specified by the **Include** command will be run even if the test is not supported on the model of Surface device. In the following example, the Surface Book specific tests for the latch mechanism and discrete graphics will be run, even if the command is run on a Surface Pro 4 or other Surface model.
 Example:
 ```
 Surface_Diagnostic_Toolkit_1.0.60.0.exe “include=DualGraphicsTest,FanTest,MuscleWireTest”
 ```
 #### logpath
 Use this argument to specify the path for the log file.
 Example 1:
 ```
 Surface_Diagnostic_Toolkit_1.0.60.0.exe logpath=C:\Folder
 ```
 Example 2:
 ```
 Surface_Diagnostic_Toolkit_1.0.60.0.exe “logpath=C:\Folder with spaces”
 ```
 ## Localization
 By default, the Microsoft Surface Diagnostic Toolkit is available in English only. If you want to localize the text of the Microsoft Surface Diagnostic Toolkit prompts into another language, you can do so by creating a custom localization file. To create a new localization file (.locale), follow these steps:
 1. Click the Tools ![images\surface-diagnostic-kit-gear-icon.png](images\surface-diagnostic-kit-gear-icon.png) button.
 2. Click the **Additional Language** page.
 3. Click the **Generate** button and the new .locale file is created.
 The locale file that is created when you use these steps will have the same name as your executable file, even if it has been changed from the default. For example, if the Microsoft Surface Diagnostic Toolkit executable file is SurfaceDiagnosticToolkit.exe, the localization file would be SurfaceDiagnosticToolkit.locale. The locale file will be created in the same folder as the executable file. If a localization file with this name already exists, you will be prompted to overwrite the existing file. The file that is created when you click the **Generate** button is always generated in the default language, English.
 To customize the localization file, open the file in a text or XML editor such as Notepad. To edit the dialog for each test, replace the text for each phrase tag. (For example, `<phrase key="testdialog">text</phrase>`.) To use the file automatically when you start the Microsoft Surface Diagnostic Toolkit, simply save the file with the same name it had when it was created. To save the file for use with other instances of Microsoft Surface Diagnostic Toolkit, copy the file to another location or save the file with another name.
 If a localization file with the same name and in the same folder as the executable file is detected when Microsoft Surface Diagnostic Toolkit started, the alternate text specified in that localization file replaces the default dialog and prompts. If a custom localization file is not present or the file name is not the same as the executable file, the tool will default to English text. At any point you can also explicitly specify a localization file to be used by the Microsoft Surface Diagnostic Toolkit. To specify a localization file, follow these steps:
 1.	Click the Tools ![images\surface-diagnostic-kit-gear-icon.png](images\surface-diagnostic-kit-gear-icon.png) button.
 2.	Click the **Additional Language** page.
 3.	Click **Browse**.
 4.	Browse to and select your custom localization file.
 A custom localization file selected through this process does not need a specific name. After you select the custom localization file, the Microsoft Surface Diagnostic Toolkit will import the contents and write them to a .locale file with the same name as the .exe file, just like if you click the **Generate** button to create a new .locale file.
 >[!NOTE]
 >If you import a localization file by clicking the **Browse** button, an existing localization file will be overwritten without prompting if that file has the same name as the Microsoft Surface Diagnostic Toolkit executable file.
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@ -139,7 +139,7 @@ Follow the steps in this section to ensure that settings for the each user follo
 5. Click **Save** to update device settings.
 ## Complete Office 365 for Education setup
-Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/Article/6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
 ## Enable Microsoft Teams for your school
 Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
@ -176,7 +176,7 @@ You can find more info about how to control which users in your school can use M
 ## Add more users
 After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
-See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
+See <a href="https://support.office.com/article/435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
 ## Connect other devices to your cloud infrastructure
 Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [Set up Windows 10 education devices](set-up-windows-10-education-devices.md). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@ -10,7 +10,7 @@ ms.localizationpriority: high
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 08/29/2017
+ms.date: 10/04/2017
 ---
 # Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@ -40,7 +40,7 @@ With Microsoft Education, schools can:
 - **Collaborate in a modern classroom** - Help students become career-ready with Office apps like Word, Excel, PowerPoint, and OneNote. Increase comprehension and outcomes with the most advanced teaching apps like integrated Learning Tools.
 - **Go beyond the browser with inspiring apps for classroom learning** - Inspire with Minecraft: Education Edition and innovative apps from the Microsoft Store for Education.
-Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
+Go to the <a href="https://www.microsoft.com/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
 ## What we're doing
 The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on your [setup scenario](#setup-options), you may not need to implement all these steps. 
@ -140,17 +140,26 @@ See the <a href="https://docs.microsoft.com/education" target="_blank">Microsoft
 To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
 - <a href="https://docs.microsoft.com/education/windows/education-scenarios-store-for-business" target="_blank">Working with Microsoft Store for Education</a>
- *Resources for anyone who uses Office 365* and *Resources for admins* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- *Resources for anyone who uses Office 365* and *Resources for admins* in <a href="https://support.office.com/article/AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
 - School Data Sync deployment options
  - Deployment using CSV files: <a href="https://aka.ms/sdscsv" target="_blank">How to deploy School Data Sync by using CSV files</a> and <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>
  - Deployment using PowerSchool Sync: <a href="https://aka.ms/sdspowerschool" target="_blank">How to deploy School Data Sync by using PowerSchool Sync</a> and <a href="https://aka.ms/sdspowerschoolattributes" target="_blank">School Data Sync required attributes for PowerSchool Sync</a>
  - Deployment using Clever Sync: <a href="https://aka.ms/sdsclever" target="_blank">How to deploy School Data Sync by using Clever Sync</a> and <a href="https://aka.ms/sdscleverattributes" target="_blank">School Data Sync required attributes for Clever sync</a>
  - Deployment using OneRoster CSV files: <a href="https://aka.ms/sdsoneroster" target="_blank">How to deploy School Data Sync by using OneRoster CSV files</a>
 - Azure Active Directory features used by Intune for Education, including: 
  - Single Sign-On (SSO) - Allow your Azure AD users to access SSO-enabled apps, so they don’t need to type in their credentials to access these apps. 
  - MDM auto-enrollment - Devices are automatically enrolled with Intune upon being joined with Azure AD join. 
 - <a href="https://docs.microsoft.com/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview" target="_blank">Enterprise state roaming</a> - Keep school data and personal data separate on your devices. 
  - Dynamic groups - You can use dynamic groups to create rules that populate your groups (for example, a group with all 9th graders) instead of having to manually add or remove members of the groups. The group stays updated by continually staying populated with members that fit the rules you pick. 
  - <a href="https://docs.microsoft.com/azure/active-directory/active-directory-passwords-writeback" target="_blank">Password write-back</a> - Allows you to configure Azure AD to write passwords back to your on-premises Active Directory. It removes the need to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are. 
  - Administrative units
  - Additional local administrators
  - <a href="https://www.microsoft.com/download/details.aspx?id=53947" target="_blank">Self-service BitLocker recovery</a> - A self-service portal that allows your employees to retrieve their BitLocker recovery key and avoid support calls.
 **For teachers**
 Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
- *Resources for anyone who uses Office 365* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- *Resources for anyone who uses Office 365* in <a href="https://support.office.com/article/AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
 - <a href="https://education.microsoft.com/windows-10-online-resources-for-teachers" target="_blank">Windows 10 online resources for teachers</a>
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@ -21,7 +21,7 @@ ms.date: 07/10/2017
 Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
-Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). </br>
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). </br>
 <center><iframe src="https://www.youtube.com/embed/X7bscA-knaY" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
 <!--
--- a/education/get-started/set-up-windows-10-education-devices.md
+++ b/education/get-started/set-up-windows-10-education-devices.md
@ -22,7 +22,7 @@ ms.date: 07/10/2017
 We recommend using the latest build of Windows 10, version 1703 on your education devices. 
 To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
+- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
 - **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
 <!--
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@ -21,7 +21,7 @@ ms.date: 07/10/2017
 School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
-Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/en-us/education/get-started/get-started-with-microsoft-education#setup-options) instead.
+Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education#setup-options) instead.
 You can watch the video to see how this is done, or follow the step-by-step guide.</br>
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@ -1,4 +1,5 @@
 # [Microsoft Store for Business](index.md)
 ## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
 ## [Sign up and get started](sign-up-windows-store-for-business-overview.md)
 ###[Microsoft Store for Business and Microsoft Store for Education overview](windows-store-for-business-overview.md)
 ### [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md)
--- a/store-for-business/images/msfb-wn-1709-app-request.png
+++ b/store-for-business/images/msfb-wn-1709-app-request.png
--- a/store-for-business/images/msfb-wn-1709-edge-ext.png
+++ b/store-for-business/images/msfb-wn-1709-edge-ext.png
--- a/store-for-business/images/msfb-wn-1709-my-org.png
+++ b/store-for-business/images/msfb-wn-1709-my-org.png
--- a/store-for-business/images/msfb-wn-1709-o365-csp.png
+++ b/store-for-business/images/msfb-wn-1709-o365-csp.png
--- a/store-for-business/images/msfb-wn-1709-o365-prepaid.png
+++ b/store-for-business/images/msfb-wn-1709-o365-prepaid.png
--- a/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png
+++ b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png
--- a/store-for-business/images/wsfb-wsappprivatestore.png
+++ b/store-for-business/images/wsfb-wsappprivatestore.png
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@ -0,0 +1,22 @@
 ---
 title: Whats new in Microsoft Store for Business and Education
 description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.date: 09/21/2017
 ---
 # Microsoft Store for Business and Education release history
 Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 ## August 2017
 These items were released or updated in August, 2017. 
 - **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
 - **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@ -0,0 +1,35 @@
 ---
 title: Whats new in Microsoft Store for Business and Education
 description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.date: 10/04/2017
 ---
 # What's new in Microsoft Store for Business and Education
 Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today. 
 ## Latest updates for Store for Business and Education
 |  |  |
 |-----------------------|---------------------------------|
 | <iframe width="288" height="232" src="https://www.youtube.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows AutoPilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
 | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | ![Microsoft Store for Business My organization page, showing Agreements tab.](images/msfb-wn-1709-my-org.png) |**My organization**<br /><br> **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.  <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | ![Microsoft Store for Business Products and Services page, Subscription tab with prepaid Office 365 subscription.](images/msfb-wn-1709-o365-prepaid.png) |**Manage prepaid Office 365 subscriptions**<br /><br />Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
 | ![Microsoft Store for Business Products and Services page, Subscription tab with Office 365 subscription acquired by reseller.](images/msfb-wn-1709-o365-csp.png) |**Manage Office 365 subscriptions acquired by partners**<br /><br />Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  | 
 | ![Microsoft Store for Business shop page.](images/msfb-wn-1709-edge-ext.png) |**Edge extensions in Microsoft Store**<br /><br />Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | ![Search results in Microsoft Store for Business showing sub categories.](images/msfb-wn-1709-search-result-sub-cat.png) |**Search results in Microsoft Store for Business**<br /><br />Search results now have sub categories to help you refine search results. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 <!---
 ## Previous releases and updates
 [August 2017](release-history-microsoft-store-business-education.md#august-2017)
 - Item 1
 - Item 2
 - Item 3 
 -->
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@ -20,7 +20,7 @@ ms.date: 09/08/2017
 [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
 [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
-## Directory Syncrhonization
+## Directory Synchronization
 >[!IMPORTANT]
 >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
 ## See also
-[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
+- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
 - [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
 [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@ -23,7 +23,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 ## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
 - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
 - On the PC that you want to connect to:
  1. Open system properties for the remote PC. 
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -2,6 +2,7 @@
 ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
 ## [Mobile device enrollment](mobile-device-enrollment.md)
 ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
 ### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
 ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/03/2017
 ---
 # AssignedAccess CSP
@ -19,16 +19,17 @@ The AssignedAccess configuration service provider (CSP) is used set the device t
 For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
-> **Note**  The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro.
+> [!Note]
 > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
 The following diagram shows the AssignedAccess configuration service provider in tree format
 ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
-<a href="" id="--vendor-msft-assignedaccess"></a>**./Vendor/MSFT/AssignedAccess**  
+<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**  
 Root node for the CSP.
-<a href="" id="assignedaccess-kioskmodeapp"></a>**AssignedAccess/KioskModeApp**  
+<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**  
 A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
 In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
@ -49,7 +50,7 @@ For a local account, the domain name should be the device name. When Get is exec
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
-<a href="" id="assignedaccess-configuration"></a>**AssignedAccess/Configuration**  
+<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**  
 Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). 
 Enterprises can use this to easily configure and manage the curated lockdown experience. 
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -2537,6 +2537,7 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [ActiveSync CSP](activesync-csp.md)
 - [APPLICATION CSP](application-csp.md)
 - [AppLocker CSP](applocker-csp.md)
 - [AssignedAccess CSP](assignedaccess-csp.md)
 - [BOOTSTRAP CSP](bootstrap-csp.md)
 - [CellularSettings CSP](cellularsettings-csp.md)
 - [CertificateStore CSP](certificatestore-csp.md)
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@ -37,17 +37,17 @@ Returns the versions of all configuration service providers supported on the dev
 Added in Windows 10, version 1709. Interior node.
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_**  
-Added in Windows 10, version 1709. Provider ID of the configuration source.
+Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**  
 Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
-The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
 Data type is string. Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**  
-Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session.
 Data type is string. Supported operations are Add, Get, Delete, and Replace. 
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -0,0 +1,121 @@
 ---
 title: Enroll a Windows 10 device automatically using Group Policy
 description: Enroll a Windows 10 device automatically using Group Policy
 ms.author: maricia
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
 ms.date: 10/02/2017
 ---
 # Enroll a Windows 10 device automatically using Group Policy
 Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. 
 Requirements:
 - AD-joined PC running Windows 10, version 1709
 - Enterprise has MDM service already configured 
 - Enterprise AD must be registered with Azure AD
 > [!Tip]  
 > [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
 To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
 Here is a partial screenshot of the result:
 ![device status result](images/autoenrollment-device-status.png)
 The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
 > [!Note]  
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure  Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
 ## Configure the auto-enrollment Group Policy for a single PC
 This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
 Requirements:
 - AD-joined PC running Windows 10, version 1709
 - Enterprise has MDM service already configured 
 - Enterprise AD must be registered with Azure AD
 1.	Run GPEdit.msc
    Click Start, then in the text box type gpedit. 
    ![GPEdit desktop app search result](images/autoenrollment-gpedit.png)
 2. Under **Best match**, click **Edit group policy** to launch it.
 3.  In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
    ![MDM policies](images/autoenrollment-mdm-policies.png)
 4.	Double-click **Auto MDM Enrollment with AAD Token**.
    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 5.	Click **Enable**, then click **OK**.
     A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
     To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
     If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
     ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
 6.	To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
 7.	Click **Info** to see the MDM enrollment information.
    ![Work School Settings](images/autoenrollment-settings-work-school.png)
    If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
 ### Task Scheduler app
 1. Click **Start**, then in the text box type **task scheduler**.
   ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
 2.	Under **Best match**, click **Task Scheduler** to launch it.
 3.	In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. 
    ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
    To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. 
    If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
 ## Configure the auto-enrollment for a group of devices
 Requirements:
 - AD-joined PC running Windows 10, version 1709
 - Enterprise has MDM service already configured (with Intune or a third party service provider)
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
 1.	Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**.
 2.	Create a Security Group for the PCs.
 3.	Link the GPO.
 4.	Filter using Security Groups.
 5.	Enforce  a GPO link
 ### Related topics
 - [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
 - [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx)
 - [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx)
 - [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx)
 - [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx)
--- a/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png
+++ b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png
--- a/windows/client-management/mdm/images/autoenrollment-device-status.png
+++ b/windows/client-management/mdm/images/autoenrollment-device-status.png
--- a/windows/client-management/mdm/images/autoenrollment-gpedit.png
+++ b/windows/client-management/mdm/images/autoenrollment-gpedit.png
--- a/windows/client-management/mdm/images/autoenrollment-mdm-policies.png
+++ b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png
--- a/windows/client-management/mdm/images/autoenrollment-policy.png
+++ b/windows/client-management/mdm/images/autoenrollment-policy.png
--- a/windows/client-management/mdm/images/autoenrollment-scheduled-task.png
+++ b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png
--- a/windows/client-management/mdm/images/autoenrollment-settings-work-school.png
+++ b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png
--- a/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png
+++ b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png
--- a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
+++ b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png
--- a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png
+++ b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 09/19/2017
 ---
 # MDM enrollment of Windows-based devices
@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You
 ### Using the Settings app
-1.  Launch the Settings app.
+1.  Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
-    ![windows settings page](images/unifiedenrollment-rs1-21.png)
+    ![windows settings page](images/unifiedenrollment-rs1-21-b.png)
-2.  Next, navigate to **Accounts**.
+2.  Navigate to **Access work or school**.
-    ![windows settings accounts select](images/unifiedenrollment-rs1-22.png)
+    ![select access work or school](images/unifiedenrollment-rs1-23-b.png)
-3.  Navigate to **Access work or school**.
+3.  Click **Connect**.
-    ![select access work or school](images/unifiedenrollment-rs1-23.png)
+    ![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
-4.  Click **Connect**.
+4.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
-    ![connect to work or school](images/unifiedenrollment-rs1-24.png)
+    ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
-5.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
+5.  If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
    ![join work or school account to azure ad](images/unifiedenrollment-rs1-25.png)
 6.  If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
    If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
    Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
    ![corporate sign in](images/unifiedenrollment-rs1-26.png)
-7.  After you complete the flow, your Microsoft account will be connected to your work or school account.
+6.  After you complete the flow, your Microsoft account will be connected to your work or school account.
    ![account successfully added](images/unifiedenrollment-rs1-27.png)
@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
 6.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
-    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
+    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
 ![corporate sign in](images/unifiedenrollment-rs1-33-b.png)
    After you complete the flow, your device will be connected to your organization’s MDM.
    ![corporate sign in](images/unifiedenrollment-rs1-33.png)
 ### Connecting to MDM on a phone (Enrolling in device management)
@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi
 Your work or school connections can be managed on the **Settings** &gt; **Accounts** &gt; **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
-![managing work or school account](images/unifiedenrollment-rs1-34.png)
+![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
 ### Manage
 The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios:
 -   Connecting your device to an Azure AD domain
 -   Connecting to a work or school account.
 Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser.
 ### Info
@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th
 Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
-![work or school info](images/unifiedenrollment-rs1-35.png)
+Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
 ![work or school info](images/unifiedenrollment-rs1-35-b.png)
 > [!Note]  
 > Starting in Windows 10, version 1709, the **Manage** button is no longer available. 
 ### Disconnect
@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click
 > **Warning**  Disconnecting might result in the loss of data on the device.
 ![disconnect work or school account](images/unifiedenrollment-rs1-36.png)
 ## Collecting diagnostic logs
 You can collect diagnostic logs around your work connections by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
-![collecting enrollment management log files](images/unifiedenrollment-rs1-37.png)
+Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
 ![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)
@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/02/2017
 ---
 # What's new in MDM enrollment and management
@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added new policies.</p>
 </td></tr>
 <tr class="odd">
-<td style="vertical-align:top">Microsoft Store for Business</td>
+<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
-<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
+<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
 </td></tr>
 <td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
 <td style="vertical-align:top"><p>New features in the Settings app:</p>
 <ul>
 <li>User sees installation progress of critical policies during MDM enrollment.</li>
 <li>User knows what policies, profiles, apps MDM has configured</li>
 <li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
 </ul>
 <p>For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
 <td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top"><p>Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.</p>
 </td></tr>
 <tr class="odd">
-<td style="vertical-align:top">Microsoft Store for Business</td>
+<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
-<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
+<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
 </td></tr>
 <tr class="even">
 <td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">[EntepriseAPN CSP](enterpriseapn-csp.md)</td>
 <td style="vertical-align:top"><p>Added a SyncML example.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
 <td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
 <td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
 <td style="vertical-align:top"><p>New features in the Settings app:</p>
 <ul>
 <li>User sees installation progress of critical policies during MDM enrollment.</li>
 <li>User knows what policies, profiles, apps MDM has configured</li>
 <li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
 </ul>
 <p>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
 </td></tr>
 </tbody>
 </table>
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -458,6 +458,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-browser.md#browser-allowsmartscreen" id="browser-allowsmartscreen">Browser/AllowSmartScreen</a>
  </dd>
  <!--<dd>
    <a href="./policy-csp-browser.md#browser-alwaysenablebookslibrary" id="browser-alwaysenablebookslibrary">Browser/AlwaysEnableBooksLibrary</a>
  </dd>-->
  <dd>
    <a href="./policy-csp-browser.md#browser-clearbrowsingdataonexit" id="browser-clearbrowsingdataonexit">Browser/ClearBrowsingDataOnExit</a>
  </dd>
@ -692,6 +695,12 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-defender.md#defender-cloudextendedtimeout" id="defender-cloudextendedtimeout">Defender/CloudExtendedTimeout</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
  </dd>
@ -710,12 +719,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
  </dd>
  <dd>
    <a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
  </dd>
@ -1148,9 +1151,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash" id="internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols" id="internetexplorer-disableblockingofoutdatedactivexcontrols">InternetExplorer/DisableBlockingOfOutdatedActiveXControls</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings" id="internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a>
  </dd>
@ -1325,9 +1325,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes" id="internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
  </dd>
@ -1337,9 +1334,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker" id="internetexplorer-internetzoneusepopupblocker">InternetExplorer/InternetZoneUsePopupBlocker</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone">InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources" id="internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a>
  </dd>
@ -1373,9 +1367,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions" id="internetexplorer-intranetzonejavapermissions">InternetExplorer/IntranetZoneJavaPermissions</a>
  </dd>
@ -1727,9 +1718,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
  </dd>
@ -1745,9 +1733,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode" id="internetexplorer-restrictedsiteszoneturnonprotectedmode">InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode</a>
  </dd>
@ -1796,18 +1781,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
  </dd>
  <dd>
    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions" id="internetexplorer-trustedsiteszonejavapermissions">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
  </dd>
@ -1898,9 +1874,6 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
  </dd>
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
  </dd>
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
  </dd>
@ -1916,6 +1889,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
  </dd>
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
  </dd>
  <dd>
    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
  </dd>
@ -2681,7 +2657,7 @@ The following diagram shows the Policy configuration service provider in tree fo
    <a href="./policy-csp-system.md#system-disablesystemrestore" id="system-disablesystemrestore">System/DisableSystemRestore</a>
  </dd>
  <dd>
-    <a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
+    <a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
  </dd>
  <dd>
    <a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
@ -3094,7 +3070,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
 -   [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
 -   [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
 -   [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols)
 -   [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
 -   [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
 -   [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
@ -3152,11 +3127,9 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
 -   [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
 -   [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
 -   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode)
 -   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
 -   [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
 -   [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
 -   [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone)
 -   [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
 -   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
 -   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
@ -3168,7 +3141,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
 -   [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
 -   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
 -   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe)
 -   [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
 -   [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
 -   [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
@ -3286,13 +3258,11 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
 -   [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
 -   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
 -   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains)
 -   [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
 -   [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
 -   [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
 -   [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
 -   [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
 -   [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter)
 -   [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
 -   [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
 -   [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
@ -3309,10 +3279,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
 -   [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
 -   [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
 -   [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols)
 -   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
 -   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe)
 -   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe)
 -   [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
 -   [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
 -   [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -496,13 +496,6 @@ ms.date: 09/29/2017
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
 > [!IMPORTANT]
 > This node must be accessed using the following paths:
 >
 > -   **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
 > -   **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
 <p style="margin-left: 20px">The following list shows the supported values:
 -   0 (default) – Allow both public and Private store.
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -119,13 +119,6 @@ ms.date: 09/29/2017
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
 > [!IMPORTANT]
 > This node must be accessed using the following paths:
 >
 > -   **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
 > -   **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
 <p style="margin-left: 20px">The following list shows the supported values:
 -   0 – Not allowed.
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/29/2017
+ms.date: 10/10/2017
 ---
 # Policy CSP - Browser
@ -231,7 +231,7 @@ ms.date: 09/29/2017
 <p style="margin-left: 20px">To verify AllowAutofill is set to 0 (not allowed):
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+1.  Open Microsoft Edge.
 2.  In the upper-right corner of the browser, click **…**.
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Save form entries** is greyed out.
@ -1177,8 +1177,8 @@ Employees cannot remove these search engines, but they can set any one as the de
 	<td></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -736,13 +736,6 @@ ms.date: 09/29/2017
 <p style="margin-left: 20px">This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
 > [!IMPORTANT]
 > This node must be accessed using the following paths:
 >
 > -   **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
 > -   **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
 <p style="margin-left: 20px">The following list shows the supported values:
 -   0 – Not allowed.
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@ -110,9 +110,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
  </dd>
  <dd>
    <a href="#internetexplorer-disableblockingofoutdatedactivexcontrols">InternetExplorer/DisableBlockingOfOutdatedActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a>
  </dd>
@ -287,9 +284,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a>
  </dd>
  <dd>
    <a href="#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</a>
  </dd>
  <dd>
    <a href="#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
  </dd>
@ -299,9 +293,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-internetzoneusepopupblocker">InternetExplorer/InternetZoneUsePopupBlocker</a>
  </dd>
  <dd>
    <a href="#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone">InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</a>
  </dd>
  <dd>
    <a href="#internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a>
  </dd>
@ -335,9 +326,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
  </dd>
  <dd>
    <a href="#internetexplorer-intranetzonejavapermissions">InternetExplorer/IntranetZoneJavaPermissions</a>
  </dd>
@ -689,9 +677,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a>
  </dd>
  <dd>
    <a href="#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</a>
  </dd>
  <dd>
    <a href="#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
  </dd>
@ -707,9 +692,6 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
  </dd>
  <dd>
    <a href="#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</a>
  </dd>
  <dd>
    <a href="#internetexplorer-restrictedsiteszoneturnonprotectedmode">InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode</a>
  </dd>
@ -758,18 +740,9 @@ ms.date: 09/29/2017
  <dd>
    <a href="#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</a>
  </dd>
  <dd>
    <a href="#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
  </dd>
  <dd>
    <a href="#internetexplorer-trustedsiteszonejavapermissions">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
  </dd>
@ -2636,61 +2609,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-disableblockingofoutdatedactivexcontrols"></a>**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
 -   GP name: *VerMgmtDisable*
 -   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -6090,61 +6008,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -6310,61 +6173,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone"></a>**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_1*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -7052,61 +6860,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -14180,61 +13933,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -14510,61 +14208,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter"></a>**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Turn on Cross-Site Scripting Filter*
 -   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -15522,61 +15165,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
@ -15642,116 +15230,6 @@ ADMX Info:
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
 <!--StartPolicy-->
 <a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartScope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--EndScope-->
 <!--StartDescription-->
 <!--EndDescription-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--StartADMX-->
 ADMX Info:  
 -   GP English name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
 -   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 <!--EndADMX-->
 <!--EndPolicy-->
 <hr/>
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/29/2017
+ms.date: 10/05/2017
 ---
 # Policy CSP - LocalPoliciesSecurityOptions
@ -999,17 +999,17 @@ This policy setting controls the behavior of the elevation prompt for administra
 The options are:
-â€¢ Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
-â€¢ Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
-â€¢ Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 2 - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-â€¢ Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 3 - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-â€¢ Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 4 - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-â€¢ Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@ -1057,11 +1057,11 @@ This policy setting controls the behavior of the elevation prompt for standard u
 The options are:
-â€¢ Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 3 - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-â€¢ Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-â€¢ Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@ -64,13 +64,6 @@ ms.date: 09/29/2017
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
 > [!IMPORTANT]
 > This node must be accessed using the following paths:
 >
 > -   **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
 > -   **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
 <p style="margin-left: 20px">For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
 <p style="margin-left: 20px">No reboot or service restart is required for this policy to take effect.
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@ -1536,15 +1536,7 @@ ms.date: 09/29/2017
 <!--EndScope-->
 <!--StartDescription-->
 > [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
+> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
 > -   **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
 > -   **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
 >
 >
 > Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
 > -   **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
 > -   **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
 <p style="margin-left: 20px">Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@ -234,7 +234,12 @@ ms.date: 09/29/2017
 <!--EndScope-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Setting this policy controls whether or not the wireless display can send input&#8212;keyboard, mouse, pen, and touch input if the display supports it&#8212;back to the source device.
 <p style="margin-left: 20px">Allowed values:
 -   0 - Wireless display input disabled.
 -   1 (default) - Wireless display input enabled.
 <!--EndDescription-->
 <!--EndPolicy-->
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@ -110,6 +110,9 @@ The following are valid edition upgrade paths when using this node through an MD
 -   Windows 10 Mobile to Windows 10 Mobile Enterprise
 > [!Warning]
 > Edition upgrades do not support Volume Licence (VL) keys.
 <a href="" id="licensekeytype"></a>**LicenseKeyType**  
 Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@ -40,7 +40,7 @@ These are the top Microsoft Support solutions for the most common issues experie
 - [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
 - [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
 - ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
 - [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
 - [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
 - [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Send feedback about Cortana at work back to Microsoft
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Set up and test Cortana with Office 365 in your organization
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Cortana integration in your business or enterprise
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Set up and test Cortana for Power BI in your organization
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 2 - Perform a quick search with Cortana at work
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 3 - Set a reminder for a specific location using Cortana at work
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 4 - Use Cortana at work to find your upcoming meetings
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 5 - Use Cortana to send email to a co-worker
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Testing scenarios using Cortana in your business or organization
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@ -6,6 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
 ms.localizationpriority: high
 ms.author: lizross
 ---
 # Set up and test custom voice commands in Cortana for your organization
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
-ms.date: 08/23/2017
+ms.date: 10/10/2017
 author: greg-lindsay
 ---
@ -22,7 +22,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
 If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
-1.	Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
+1.	Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
    a.	**AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3<BR>
    b.	**AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
 2.	After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
@ -74,9 +74,9 @@ The following methods are available to assign licenses:
 Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
-### Step 1: Join users’ devices to Azure AD
+### Step 1: Join Windows 10 Pro devices to Azure AD
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+Users can join a Windows 10 Pro device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
 **To join a device to Azure AD the first time the device is started**
@ -125,7 +125,18 @@ Now the device is Azure AD joined to the company’s subscription.
 Now the device is Azure AD joined to the company’s subscription.
-### Step 2: Sign in using Azure AD account
+### Step 2: Verify that Pro edition is activated
 Windows 10 Pro just be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
 <span id="win-10-pro-activated"/>
 <img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
 <BR>**Figure 7a - Windows 10 Pro activation in Settings** <BR>
 Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled. 
 ### Step 3: Sign in using Azure AD account
 Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
@ -133,7 +144,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
 **Figure 8. Sign in by using Azure AD account**
-### Step 3: Verify that Enterprise edition is enabled
+### Step 4: Verify that Enterprise edition is enabled
 You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
--- a/windows/deployment/images/sa-pro-activation.png
+++ b/windows/deployment/images/sa-pro-activation.png
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
 ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 10/10/2017
 ---
 # Change history for Update Windows 10
@ -15,6 +15,12 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
 >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 ## September 2017
 | New or changed topic | Description |
 | --- | --- |
 | [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | 
 ## July 2017
 All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@ -6,10 +6,30 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 09/14/2017
+ms.date: 10/10/2017
 ---
-# Olympia Corp enrollment guidelines
+# Olympia Corp
 ## What is Windows Insider Lab for Enterprise and Olympia Corp?
 Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features*. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
 As an Olympia user, you will have an opportunity to: 
 -   Use various Enterprise features like WIP (Windows Information Protection), ATP (Advanced Threat Protection), WDAG (Windows Defender Application Guard), and APP-V (Application virtualization).
 -   Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
 -   Validate and test pre-release software in your environment.
 -   Provide feedback.
 -   Interact with engineering team members through a variety of communication channels.
 \* Enterprise features may have reduced, or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
 For more information about Olympia Corp, please see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).
 To request an Olympia Corp account, please fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia).
 ## Enrollment guidelines
 Welcome to Olympia Corp. Here are the steps to add your account to your PC.
@ -23,7 +43,7 @@ Choose one of the following two enrollment options:
 <a id="enrollment-keep-current-edition"></a>
-## Keep your current Windows 10 edition
+### Keep your current Windows 10 edition
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@ -57,7 +77,7 @@ Choose one of the following two enrollment options:
 <a id="enrollment-upgrade-to-enterprise"></a>
-## Upgrade your Windows 10 edition from Pro to Enterprise
+### Upgrade your Windows 10 edition from Pro to Enterprise
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@ -75,6 +75,7 @@ Telephone activation is primarily used in situations where a computer is isolate
 **Note**  
 A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
 Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
 ### Multiple activation key
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@ -39,7 +39,7 @@ Windows AutoPilot allows you to:
 ### Prerequisites
 * [Devices must be registered to the organization](#registering-devices-to-your-organization)
-* Devices have to be pre-installed with Windows 10, version 1703 or later
+* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
 * Devices must have access to the internet
 * [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
 * Microsoft Intune or other MDM services to manage your devices
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
-ms.date: 08/23/2017
+ms.date: 10/10/2017
 author: greg-lindsay
 ---
@ -34,7 +34,7 @@ For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Win
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: 
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
+- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded
 - Azure Active Directory (Azure AD) available for identity management
 - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@ -16,19 +16,25 @@ author: brianlic-msft
 For an overview of the process described in the following procedures, see [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md). To understand how the deployment of code integrity policies fits with other steps in the Windows Defender Device Guard deployment process, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-## Create a code integrity policy from a golden computer
+## Create a code integrity policy from a reference computer
-The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
+This section outlines the process to create a code integrity policy with Windows PowerShell. 
 For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
 Then create the code integrity policy by scanning the system for installed applications. 
 The policy file is converted to binary format when it gets created so that Windows can interpret it.
 > [!Note] 
-> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. 
+> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the code integrity policy. 
 ### Scripting and applications
-Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. 
+Each installed software application should be validated as trustworthy before you create a policy. 
-You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Windows Defender Device Guard in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
+We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. 
 Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. 
 You can remove or disable such software on the reference computer. 
 You can also fine-tune your control by [using Windows Defender Device Guard in combination with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). 
-Members of the security community<sup>\*</sup> continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. 
+Members of the security community<sup>\*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Device Guard code integrity policies. 
 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Windows Defender Device Guard:
@ -70,11 +76,17 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 <br />
 >[!Note]
->This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
+>This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
-Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Windows Defender Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. 
+Certain software applications may allow additional code to run by design. 
 These types of applications should be blocked by your Windows Defender Device Guard policy. 
 In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. 
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
+Microsoft recommends that you install the latest security updates. 
 The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Device Guard code integrity policies. 
 These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
 Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
@ -94,9 +106,6 @@ Microsoft recommends that you block the following Microsoft-signed applications
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Required:Enforce Store Applications</Option>
    </Rule>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
@ -123,43 +132,258 @@ Microsoft recommends that you block the following Microsoft-signed applications
    <Deny  ID="ID_DENY_FSI"           FriendlyName="fsi.exe"            FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_FSI_ANYCPU"    FriendlyName="fsiAnyCpu.exe"      FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny  ID="ID_DENY_MSHTA"         FriendlyName="mshta.exe"          FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
-    <Deny  ID="ID_DENY_SMA"           FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
+    <Deny  ID="ID_DENY_VISUALUIAVERIFY"         FriendlyName="visualuiaverifynative.exe"          FileName="visualuiaverifynative.exe" MinimumFileVersion = "65535.65535.65535.65535" />
    <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
    <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
    <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40" />
    <Deny ID="ID_DENY_D_4" FriendlyName="Powershell 4" Hash="29DF1D593D0D7AB365F02645E7EF4BCCA060763A" />
    <Deny ID="ID_DENY_D_5" FriendlyName="Powershell 5" Hash="2E3C47BBE1BA99842EE187F756CA616EFED61B94" />
    <Deny ID="ID_DENY_D_6" FriendlyName="Powershell 6" Hash="38DC1956313B160696A172074C6F5DA9852BF508F55AFB7FA079B98F2849AFB5" />
    <Deny ID="ID_DENY_D_7" FriendlyName="Powershell 7" Hash="513B625EA507ED9CE83E2FB2ED4F3D586C2AA379" />
    <Deny ID="ID_DENY_D_8" FriendlyName="Powershell 8" Hash="71FC552E66327EDAA72D72C362846BD80CB65EECFAE95C4D790C9A2330D95EE6" />
    <Deny ID="ID_DENY_D_9" FriendlyName="Powershell 9" Hash="72E4EC687CFE357F3E681A7500B6FF009717A2E9538956908D3B52B9C865C189" />
    <Deny ID="ID_DENY_D_10" FriendlyName="Powershell 10" Hash="74E207F539C4EAC648A5507EB158AEE9F6EA401E51808E83E73709CFA0820FDD" />
    <Deny ID="ID_DENY_D_11" FriendlyName="Powershell 11" Hash="75288A0CF0806A68D8DA721538E64038D755BBE74B52F4B63FEE5049AE868AC0" />
    <Deny ID="ID_DENY_D_12" FriendlyName="Powershell 12" Hash="7DB3AD53985C455990DD9847DE15BDB271E0C8D1" />
    <Deny ID="ID_DENY_D_13" FriendlyName="Powershell 13" Hash="84BB081141DA50B3839CD275FF34854F53AECB96CA9AEB8BCD24355C33C1E73E" />
    <Deny ID="ID_DENY_D_14" FriendlyName="Powershell 14" Hash="86DADE56A1DBAB6DDC2769839F89244693D319C6" />
    <Deny ID="ID_DENY_D_15" FriendlyName="Powershell 15" Hash="BD3139CE7553AC7003C96304F08EAEC2CDB2CC6A869D36D6F1E478DA02D3AA16" />
    <Deny ID="ID_DENY_D_16" FriendlyName="Powershell 16" Hash="BE3FFE10CDE8B62C3E8FD4D8198F272B6BD15364A33362BB07A0AFF6731DABA1" />
    <Deny ID="ID_DENY_D_17" FriendlyName="Powershell 17" Hash="C1196433541B87D22CE2DD19AAAF133C9C13037A" />
    <Deny ID="ID_DENY_D_18" FriendlyName="Powershell 18" Hash="C6C073A80A8E76DC13E724B5E66FE4035A19CCA0C1AF3FABBC18E5185D1B66CB" />
    <Deny ID="ID_DENY_D_19" FriendlyName="Powershell 19" Hash="CE5EA2D29F9DD3F15CF3682564B0E765ED3A8FE1" />
    <Deny ID="ID_DENY_D_20" FriendlyName="Powershell 20" Hash="D027E09D9D9828A87701288EFC91D240C0DEC2C3" />
    <Deny ID="ID_DENY_D_21" FriendlyName="Powershell 21" Hash="D2CFC8F6729E510AE5BA9BECCF37E0B49DDF5E31" />
    <Deny ID="ID_DENY_D_22" FriendlyName="Powershell 22" Hash="DED853481A176999723413685A79B36DD0F120F9" />
    <Deny ID="ID_DENY_D_23" FriendlyName="Powershell 23" Hash="DFCD10EAA2A22884E0A41C4D9E6E8DA265321870" />
    <Deny ID="ID_DENY_D_24" FriendlyName="Powershell 24" Hash="F16E605B55774CDFFDB0EB99FAFF43A40622ED2AB1C011D1195878F4B20030BC" />
    <Deny ID="ID_DENY_D_25" FriendlyName="Powershell 25" Hash="F29A958287788A6EEDE6035D49EF5CB85EEC40D214FDDE5A0C6CAA65AFC00EEC" />
    <Deny ID="ID_DENY_D_26" FriendlyName="Powershell 26" Hash="F875E43E12685ECE0BA2D42D55A13798CE9F1FFDE3CAE253D2529F4304811A52" />
    <!--System.Management.Automation.dll -->
    <Deny ID="ID_DENY_D_27" FriendlyName="PowerShell 27" Hash="720D826A84284E18E0003526A0CD9B7FF0C4A98A"/>
    <Deny ID="ID_DENY_D_28" FriendlyName="PowerShell 28" Hash="CB5DF9D0D25571948C3D257882E07C7FA5E768448E0DEBF637E110F9FF575808"/>
    <Deny ID="ID_DENY_D_29" FriendlyName="PowerShell 29" Hash="3C7265C3393C585D32E509B2D2EC048C73AC5EE6"/>
    <Deny ID="ID_DENY_D_30" FriendlyName="PowerShell 30" Hash="7F1E03E956CA38CC0C491CB958D6E61A52491269CDB363BC488B525F80C56424"/>
    <Deny ID="ID_DENY_D_31" FriendlyName="PowerShell 31" Hash="27D86C9B54E1A97399A6DC9C9DF9AE030CB734C8"/>
    <Deny ID="ID_DENY_D_32" FriendlyName="PowerShell 32" Hash="917BD10E82C6E932F9C63B9BDCCC1D9BF04510CD8491B005CFFD273B48B5CD1E"/>
    <Deny ID="ID_DENY_D_33" FriendlyName="PowerShell 33" Hash="B3BB2D75AECB34ED316CE54C6D513420186E4950"/>
    <Deny ID="ID_DENY_D_34" FriendlyName="PowerShell 34" Hash="B734F6269A6738861E1DF98EE0E4E7377FAED10B82AAA9731DA0BB1CB366FCCE"/>
    <Deny ID="ID_DENY_D_35" FriendlyName="PowerShell 35" Hash="FF378B465F2C8A87B4092F7C1F96399C0156CEEB"/>
    <Deny ID="ID_DENY_D_36" FriendlyName="PowerShell 36" Hash="9B884CFE78F921042B003574AE30D9E86EE3DCC11E7110A1C92927F13C3F47E6"/>
    <Deny ID="ID_DENY_D_37" FriendlyName="PowerShell 37" Hash="C7B99E8B59182112A3A14BD39880BDCDDD5C724F"/>
    <Deny ID="ID_DENY_D_38" FriendlyName="PowerShell 38" Hash="6E585890C7369D6D8DA85C8B6B7411463BAA1ACAE9CE4197E033A46C897B35E5"/>
    <Deny ID="ID_DENY_D_39" FriendlyName="PowerShell 39" Hash="BA4B3A92123FBCE66398020AFBCC0BCA1D1AAAD7"/>
    <Deny ID="ID_DENY_D_40" FriendlyName="PowerShell 40" Hash="D8D361E3690676C7FDC483003BFC5C0C39FB16B42DFC881FB8D42A1064740B0B"/>
    <Deny ID="ID_DENY_D_41" FriendlyName="PowerShell 41" Hash="1EA5104AE1A7A53F9421E0193B749F310B9261D1"/>
    <Deny ID="ID_DENY_D_42" FriendlyName="PowerShell 42" Hash="66C1B8569019512ACDDC145DA6D348A68DE008BE7C05930AD0EC6927C26061AD"/>
    <Deny ID="ID_DENY_D_43" FriendlyName="PowerShell 43" Hash="4EB2C3A4B551FC028E00F2E7DA9D0F1E38728571"/>
    <Deny ID="ID_DENY_D_44" FriendlyName="PowerShell 44" Hash="30EAC589069FB79D540080B04B7FDBB8A9B1DF4E96B9D7C98519E49A1ED56851"/>
    <Deny ID="ID_DENY_D_45" FriendlyName="PowerShell 45" Hash="E55505B609DD7A22F55C4BA9EDAD5627ECA6A8E8"/>
    <Deny ID="ID_DENY_D_46" FriendlyName="PowerShell 46" Hash="ABDDA9C1EDA9F2344FB5B79890B7FD854D0E3D28BEC26AE33AAD196948AB642D"/>
    <Deny ID="ID_DENY_D_47" FriendlyName="PowerShell 47" Hash="A15964475D213FB752B42E7DCDDBF4B14D623D14"/>
    <Deny ID="ID_DENY_D_48" FriendlyName="PowerShell 48" Hash="61A68B436D828193E0C7B44D2AF83D22A9CB557B90186E4E6AC998CE5E3BFE8A"/>
    <Deny ID="ID_DENY_D_49" FriendlyName="PowerShell 49" Hash="DB0C4B5CA1CBC3B117AB0439C5937B6A263DFD87"/>
    <Deny ID="ID_DENY_D_50" FriendlyName="PowerShell 50" Hash="6D4FB385328CA01700092E1CDF75A97123A95120D5F8A9877FFB4D5A8531380B"/>
    <Deny ID="ID_DENY_D_51" FriendlyName="PowerShell 51" Hash="72F9DCDA6ECDD6906A2538DFE795A2E2CA787BBC"/>
    <Deny ID="ID_DENY_D_52" FriendlyName="PowerShell 52" Hash="F98FEC4A0306BD398F7FB7F611679B7797D32D54D1F2B35D728C0C7A058153ED"/>
    <Deny ID="ID_DENY_D_53" FriendlyName="PowerShell 53" Hash="C980B65B86F780AC93B9458E9657291083CFEDA8"/>
    <Deny ID="ID_DENY_D_54" FriendlyName="PowerShell 54" Hash="F9473493FF53274B8E75EC7E517F324AA0C5644C6F8045D3EF3A1B9A669ECF78"/>
    <Deny ID="ID_DENY_D_55" FriendlyName="PowerShell 55" Hash="C30355B5E6FA3F793A3CC0A649945829723DD85C"/>
    <Deny ID="ID_DENY_D_56" FriendlyName="PowerShell 56" Hash="4EB14099165177F0F3A1FACE32E72CF2DD221DB44155E73AFF94CB7DA195EF22"/>
    <Deny ID="ID_DENY_D_57" FriendlyName="PowerShell 57" Hash="5C6CC1903D3DA2054ECD9A295EEE26F5561E152A"/>
    <Deny ID="ID_DENY_D_58" FriendlyName="PowerShell 58" Hash="0BF8CAB75DAB712FC848DE7CC7DC5C8A10D666515E7535F89146F45AAAF9EF54"/>
    <Deny ID="ID_DENY_D_59" FriendlyName="PowerShell 59" Hash="1443E8F56DEE11EEF5B746E3657C2F953FD4F6EA"/>
    <Deny ID="ID_DENY_D_60" FriendlyName="PowerShell 60" Hash="487CB42795046E885303FC96EA54C3234E1B2072DAEB4F9218C21CC6C39A3223"/>
    <Deny ID="ID_DENY_D_61" FriendlyName="PowerShell 61" Hash="072D4E33D1478C863DBAB20BF5DFF1A0FB5A9D53"/>
    <Deny ID="ID_DENY_D_62" FriendlyName="PowerShell 62" Hash="631E091AE7AD2C543EE5755BC9D8DB34683C41E20D9A6CD41C8F07827156D6DB"/>
    <Deny ID="ID_DENY_D_63" FriendlyName="PowerShell 63" Hash="FD15A313B890369B7D8E26C13B2070AE044FB4D8"/>
    <Deny ID="ID_DENY_D_64" FriendlyName="PowerShell 64" Hash="AB9886A0993F87C2A39BC7822EE44FD4B4751C530ACF292ACD0319C967FB4F3B"/>
    <Deny ID="ID_DENY_D_65" FriendlyName="PowerShell 65" Hash="4BAFD867B59328E7BB853148FE6D16B9411D7A12"/>
    <Deny ID="ID_DENY_D_66" FriendlyName="PowerShell 66" Hash="D1F22B37902C2DD53FA27438436D9D236A196C10C8E492A8F4A14768644592D3"/>
    <Deny ID="ID_DENY_D_67" FriendlyName="PowerShell 67" Hash="AC53AE4C8AB56D84393D67D820BEBDC3218739D3"/>
    <Deny ID="ID_DENY_D_68" FriendlyName="PowerShell 68" Hash="49580C9459C3917E6F982C8E0D753D293DFA2E4FD1152F78FF7C73CF8B422507"/>
    <Deny ID="ID_DENY_D_69" FriendlyName="PowerShell 69" Hash="333678A44D4BEBE9BEA3041FFDA9E2B55B58F1B5"/>
    <Deny ID="ID_DENY_D_70" FriendlyName="PowerShell 70" Hash="94CBBC3970F01280D98C951BD0C4158D4B09A2BE21B8A27790D9F127B78C6F3F"/>
    <Deny ID="ID_DENY_D_71" FriendlyName="PowerShell 71" Hash="5F5620DC049FE1F1C2DBAC077A59BA69CF2FF72C"/>
    <Deny ID="ID_DENY_D_72" FriendlyName="PowerShell 72" Hash="A32C0769F36CAE0B6A7A1B8CCB6B7A75AA8BEB7F49815E96B4E120BFD7527E0A"/>
    <Deny ID="ID_DENY_D_73" FriendlyName="PowerShell 73" Hash="BDBE541D269EC8235563842D024F9E37883DFB57"/>
    <Deny ID="ID_DENY_D_74" FriendlyName="PowerShell 74" Hash="441076C7FD0AD481E6AC3198F08BE80EA9EB2926CA81D733F798D03DBEFD683E"/>
    <Deny ID="ID_DENY_D_75" FriendlyName="PowerShell 75" Hash="FD6FE9143A46F4EBB46E6B46332FA7171002EBF0"/>
    <Deny ID="ID_DENY_D_76" FriendlyName="PowerShell 76" Hash="85399D84601207AB92C8CA4D7D6E58CB1B0B0B57ED94FA7E5A1191FA1810E223"/>
    <Deny ID="ID_DENY_D_77" FriendlyName="PowerShell 77" Hash="98FD94A89DCF92A7BEDB51C72BAD1A67650DD6E5"/>
    <Deny ID="ID_DENY_D_78" FriendlyName="PowerShell 78" Hash="5CE4B042E986DAFEB7E2D2ABFB80376C4DEC325DB23B584B76039EEA6E1A74B1"/>
    <Deny ID="ID_DENY_D_79" FriendlyName="PowerShell 79" Hash="6BC1E70F0EA84E88AC28BEAF74C10F3ABDF99209"/>
    <Deny ID="ID_DENY_D_80" FriendlyName="PowerShell 80" Hash="93CB3907D1A9473E8A90593250C4A95EAE3A7066E9D8A57535CBDF82AA4AD4C2"/>
    <Deny ID="ID_DENY_D_81" FriendlyName="PowerShell 81" Hash="7FCE82DBBC0FE45AFBE3927C323349C32D5A463A"/>
    <Deny ID="ID_DENY_D_82" FriendlyName="PowerShell 82" Hash="2EDA8CA129E30CB5522C4DCD1E5AFDCA1E9C6447DD7053DACEF18DCDCCF3E2BC"/>
    <Deny ID="ID_DENY_D_83" FriendlyName="PowerShell 83" Hash="BDB3DAC80667A0B931835D5D658C08F236B413D1"/>
    <Deny ID="ID_DENY_D_84" FriendlyName="PowerShell 84" Hash="51287BACB692AAC5A8659774D982B304DC0C0B4A4D8F41CBCCD47D69796786DE"/>
    <Deny ID="ID_DENY_D_85" FriendlyName="PowerShell 85" Hash="9633529CACE25ACCB29EBC5941DE1874903C0297"/>
    <Deny ID="ID_DENY_D_86" FriendlyName="PowerShell 86" Hash="483A3997D5DA69A51DC7EA368A36C3CA4A5BD56CB08BFD9912BE799005156C18"/>
    <Deny ID="ID_DENY_D_87" FriendlyName="PowerShell 87" Hash="B3493E30A2C347B550331C86529BDC288EAF8186"/>
    <Deny ID="ID_DENY_D_88" FriendlyName="PowerShell 88" Hash="9371E2333906441715DE15FEE8A9AA03C4D076CA3C04D9A7AB0CC32189DA66ED"/>
    <Deny ID="ID_DENY_D_89" FriendlyName="PowerShell 89" Hash="5D4B0794EB973D61CF74A700F11BE84E527E0E51"/>
    <Deny ID="ID_DENY_D_90" FriendlyName="PowerShell 90" Hash="537DE34A1F4B3F8345D02F5BBA2B063F070A42FC1581AAC2AA91C1D071B14521"/>
    <Deny ID="ID_DENY_D_91" FriendlyName="PowerShell 91" Hash="F3C75F35F42C1C5B3B4ED888187D6AB4035F994C"/>
    <Deny ID="ID_DENY_D_92" FriendlyName="PowerShell 92" Hash="AD5678ED0734281973465DD728281A6C0EA146620FF2106A4EEFC7E94622B92F"/>
    <Deny ID="ID_DENY_D_93" FriendlyName="PowerShell 93" Hash="91C0F76798A9679188C7D93FDEBAF797BDBE41B2"/>
    <Deny ID="ID_DENY_D_94" FriendlyName="PowerShell 94" Hash="1D9244EAFEDFBFC02E13822E24A476C36FFD362B9D18F6CD195B654A34F946FF"/>
    <Deny ID="ID_DENY_D_95" FriendlyName="PowerShell 95" Hash="7FCB424E67DDAC49413B45D7DCD636AD70E23B41"/>
    <Deny ID="ID_DENY_D_96" FriendlyName="PowerShell 96" Hash="7E6F9A738520F78D1E9D0D0883FB07DD9188408CBE7C2937BDE1590F90C61753"/>
    <Deny ID="ID_DENY_D_97" FriendlyName="PowerShell 97" Hash="A9745E20419EC1C90B23FE965D3C2DF028AF39DC"/>
    <Deny ID="ID_DENY_D_98" FriendlyName="PowerShell 98" Hash="71B5B58EAA0C90397BC9546BCCA8C657500499CD2087CD7D7E1753D54C07E71D"/>
    <Deny ID="ID_DENY_D_99" FriendlyName="PowerShell 99" Hash="3E5294910C59394DA93962128968E6C23016A028"/>
    <Deny ID="ID_DENY_D_100" FriendlyName="PowerShell 100" Hash="DA700D4F58BCEA1D5A9CAD4F20AC725C6A354F9DA40E4F8F95E1C3DC7B84F550"/>
    <Deny ID="ID_DENY_D_101" FriendlyName="PowerShell 101" Hash="266896FD257AD8EE9FC73B3A50306A573714EA8A"/>
    <Deny ID="ID_DENY_D_102" FriendlyName="PowerShell 102" Hash="8E36BD08084C73AF674F2DAD568EE3BA2C85769FA7B3400CB62F7A7BD028BE9A"/>
    <Deny ID="ID_DENY_D_103" FriendlyName="PowerShell 103" Hash="2CB781B3BD79FD277D92332ACA22C04430F9D692"/>
    <Deny ID="ID_DENY_D_104" FriendlyName="PowerShell 104" Hash="92AE03F0090C0A5DF329B4B3FFEDBA622B0521BA699FA303C24120A30ED4C9E6"/>
    <Deny ID="ID_DENY_D_105" FriendlyName="PowerShell 105" Hash="D82583F7D5EA477C94630AC5AAEB771C85BD4B0A"/>
    <Deny ID="ID_DENY_D_106" FriendlyName="PowerShell 106" Hash="9B0F39AB233628A971ACEC53029C9B608CAB99868F1A1C5ABE20BC1BD1C2B70E"/>
    <Deny ID="ID_DENY_D_107" FriendlyName="PowerShell 107" Hash="2DF4350DE3C97C9D4FD2973F8C5EA8AE621D22A8"/>
    <Deny ID="ID_DENY_D_108" FriendlyName="PowerShell 108" Hash="015CE571E8503A353E2250D4D0DA19493B3311F3437527E6DDD2D2B6439FA2EB"/>
    <Deny ID="ID_DENY_D_109" FriendlyName="PowerShell 109" Hash="080DEC3B15AD5AFE9BF3B0943A36285E92BAF469"/>
    <Deny ID="ID_DENY_D_110" FriendlyName="PowerShell 110" Hash="F1391E78F17EA6097906B99C6F4F0AE8DD2E519856F837A3BCC58FBB87DAAE62"/>
    <Deny ID="ID_DENY_D_111" FriendlyName="PowerShell 111" Hash="F87C726CCB5E64C6F363C21255935D5FEA9E4A0E"/>
    <Deny ID="ID_DENY_D_112" FriendlyName="PowerShell 112" Hash="B7B42C3C8C61FD2616C16BBCF36EA15EC26A67536E94764D72A91CE04B89AAA4"/>
    <Deny ID="ID_DENY_D_113" FriendlyName="PowerShell 113" Hash="25F52340199A0EA352C8B1A7014BCB610B232523"/>
    <Deny ID="ID_DENY_D_114" FriendlyName="PowerShell 114" Hash="64D6D1F3A053908C5635BD6BDA36BC8E72D518C7ECE8DA761C0DDE70C50BB632"/>
    <Deny ID="ID_DENY_D_115" FriendlyName="PowerShell 115" Hash="029198F05598109037A0E9E332EC052317E834DA"/>
    <Deny ID="ID_DENY_D_116" FriendlyName="PowerShell 116" Hash="70B4BB6C2B7E9237FB14ABBC94955012285E2CAA74F91455EE52809CDAD4E7FC"/>
    <Deny ID="ID_DENY_D_117" FriendlyName="PowerShell 117" Hash="A4390EF2D77F76DC4EFE55FF74EE1D06C303FDAE"/>
    <Deny ID="ID_DENY_D_118" FriendlyName="PowerShell 118" Hash="3246A0CB329B030DA104E04B1A0728DE83724B08C724FD0238CE4578A0245576"/>
    <Deny ID="ID_DENY_D_119" FriendlyName="PowerShell 119" Hash="89CEAB6518DA4E7F75B3C75BC04A112D3637B737"/>
    <Deny ID="ID_DENY_D_120" FriendlyName="PowerShell 120" Hash="6581E491FBFF954A1A4B9CEA69B63951D67EB56DF871ED8B055193595F042B0D"/>
    <Deny ID="ID_DENY_D_121" FriendlyName="PowerShell 121" Hash="00419E981EDC8613E600C939677F7B460855BF7E"/>
    <Deny ID="ID_DENY_D_122" FriendlyName="PowerShell 122" Hash="61B724BCFC3DA1CC1583DB0BC42EFE166E92D8D3CE91E58A29F7AEBEFAE2149F"/>
    <Deny ID="ID_DENY_D_123" FriendlyName="PowerShell 123" Hash="272EF88BBA9B4B54D242FFE1E96D07DBF53497A0"/>
    <Deny ID="ID_DENY_D_124" FriendlyName="PowerShell 124" Hash="AFC0968EDCE9E5FC1BC392382833EBEF3265B32D3ECBB529D89A1DF33A31E9BD"/>
    <Deny ID="ID_DENY_D_125" FriendlyName="PowerShell 125" Hash="CD9D9789B3B31562C4BE44B6BEEA8815C5EDAE1F"/>
    <Deny ID="ID_DENY_D_126" FriendlyName="PowerShell 126" Hash="FCAF8DC3C7A5D3B29B19A9C5F89324BF65B50C440AC0316B08532CEA2F1FF9B0"/>
    <Deny ID="ID_DENY_D_127" FriendlyName="PowerShell 127" Hash="941D0FD47887035A04E17F46DE6C4004D7FD8871"/>
    <Deny ID="ID_DENY_D_128" FriendlyName="PowerShell 128" Hash="4AD6DC7FF0A2E776CE7F27B4E3D3C1C380CA3548DFED565429D88C3BBE61DD0F"/>
    <Deny ID="ID_DENY_D_129" FriendlyName="PowerShell 129" Hash="421D1142105358B8360454E43FD15767DA111DBA"/>
    <Deny ID="ID_DENY_D_130" FriendlyName="PowerShell 130" Hash="692CABD40C1EDFCB6DC50591F31FAE30848E579D6EF4D2CA0811D06B086CF8BE"/>
    <Deny ID="ID_DENY_D_131" FriendlyName="PowerShell 131" Hash="AC9F095DD4AE80B124F55541761AA1F35E49A575"/>
    <Deny ID="ID_DENY_D_132" FriendlyName="PowerShell 132" Hash="0D8A0FB3BF3CF80D44ED20D9F1E7292E9EE5A49ABCE68592DED55A71B0ACAECE"/>
    <Deny ID="ID_DENY_D_133" FriendlyName="PowerShell 133" Hash="B1CF2A18B281F73FE6685B5CE74D1BA50BE9AFE5"/>
    <Deny ID="ID_DENY_D_134" FriendlyName="PowerShell 134" Hash="095B79953F9E3E2FB721693FBFAD5841112D592B6CA7EB2055B262DEB7C7008A"/>
    <Deny ID="ID_DENY_D_135" FriendlyName="PowerShell 135" Hash="128D7D03E4B85DBF95427D72EFF833DAB5E92C33"/>
    <Deny ID="ID_DENY_D_136" FriendlyName="PowerShell 136" Hash="EACFC615FDE29BD858088AF42E0917E4B4CA5991EFB4394FB3129735D7299235"/>
    <Deny ID="ID_DENY_D_137" FriendlyName="PowerShell 137" Hash="47D2F87F2D2D516D712A156421F0C2BD285200E9"/>
    <Deny ID="ID_DENY_D_138" FriendlyName="PowerShell 138" Hash="8CACA1828E7770DADF21D558976D415AC7BDA16D58926308FD5E9D5087F4B0E6"/>
    <Deny ID="ID_DENY_D_139" FriendlyName="PowerShell 139" Hash="CD9D70B0107801567EEADC4ECD74511A1A6FF4FE"/>
    <Deny ID="ID_DENY_D_140" FriendlyName="PowerShell 140" Hash="9C96396EFCC9DC09F119DE8695CB3372F82DB46D23A1B7A88BD86CBE814233E1"/>
    <Deny ID="ID_DENY_D_141" FriendlyName="PowerShell 141" Hash="233E3B5108A43239C6C13292043DED0567281AF9"/>
    <Deny ID="ID_DENY_D_142" FriendlyName="PowerShell 142" Hash="6EDF19CC53EA2064CE108957343EB3505359CF05BD6955C7502AF565BD761702"/>
    <Deny ID="ID_DENY_D_143" FriendlyName="PowerShell 143" Hash="CD725B606888E5C5426FEAB44E2CC7722DFE5411"/>
    <Deny ID="ID_DENY_D_144" FriendlyName="PowerShell 144" Hash="B20C4F36AE6A3AC323759C81173FACE1B1C112FA5B701C65DCD7313D7CE59907"/>
    <Deny ID="ID_DENY_D_145" FriendlyName="PowerShell 145" Hash="E5212F1081B5777B88F5C41174ADEDB35B4258CF"/>
    <Deny ID="ID_DENY_D_146" FriendlyName="PowerShell 146" Hash="F4DE5B5395701F8C94D65D732E4D212E1879C9C84345B46A941965B094F75017"/>
    <Deny ID="ID_DENY_D_147" FriendlyName="PowerShell 147" Hash="EC41A3FB8D6E3B0F55F6583C14C45B6238753019"/>
    <Deny ID="ID_DENY_D_148" FriendlyName="PowerShell 148" Hash="76CA6B396796351685198D6189E865AFD7FB9E6C5CEFA9EA0B5F0A9F1FC98D57"/>
    <Deny ID="ID_DENY_D_149" FriendlyName="PowerShell 149" Hash="3B2B7042A84033CA846AFE472912524F7BAD57E5"/>
    <Deny ID="ID_DENY_D_150" FriendlyName="PowerShell 150" Hash="2DF95ABEB23DAA0377DFA6360976B69D3CEE7325A9B7571F331D569809FAED8B"/>
    <Deny ID="ID_DENY_D_151" FriendlyName="PowerShell 151" Hash="7BED2F9C0ADF1597C7EBB79163BDA21D8D7D28CA"/>
    <Deny ID="ID_DENY_D_152" FriendlyName="PowerShell 152" Hash="44BDD2DADB13E7A8FF6AFCF4AE3E2CC830506D9475B4C2C71D319E169977998F"/>
    <Deny ID="ID_DENY_D_153" FriendlyName="PowerShell 153" Hash="A1251FA30162B13456A4687495726FF793D511BE"/>
    <Deny ID="ID_DENY_D_154" FriendlyName="PowerShell 154" Hash="9C15E4DE10DE47ACD393359D523211AD8596C61FE54F2C0664D48E1D249231CE"/>
    <Deny ID="ID_DENY_D_155" FriendlyName="PowerShell 155" Hash="D835947C84CFBA652B553A77A90475E02291AA5F"/>
    <Deny ID="ID_DENY_D_156" FriendlyName="PowerShell 156" Hash="B4D6DAA10398D5DA192DFDD75010F428D24762D432934F0E2030D39610D43E12"/>
    <Deny ID="ID_DENY_D_157" FriendlyName="PowerShell 157" Hash="1F85BBEC1DFC5785B91735A7C561E664F7FE1E94"/>
    <Deny ID="ID_DENY_D_158" FriendlyName="PowerShell 158" Hash="828F05BFF829019EC0F3082323FEA859C0D71CCE14B5B75C07E7D418EF354269"/>
    <Deny ID="ID_DENY_D_159" FriendlyName="PowerShell 159" Hash="FC0E23771620B41E6920F2463F49B84307D8BA91"/>
    <Deny ID="ID_DENY_D_160" FriendlyName="PowerShell 160" Hash="C4FA568C852A46316308A660B80D83A11D41071F1CF4A79847A3F56714CC47AF"/>
    <Deny ID="ID_DENY_D_161" FriendlyName="PowerShell 161" Hash="D18240AEE8B9B964F6B9CDFC5AFB6C343C286636"/>
    <Deny ID="ID_DENY_D_162" FriendlyName="PowerShell 162" Hash="7B4C39285569F14AA9799332C542A0796717C5EF9D636BD11B2841450BC6399D"/>
    <Deny ID="ID_DENY_D_163" FriendlyName="PowerShell 163" Hash="1A16008D330330182AA555B1D3E9BE0B2D6BECBF"/>
    <Deny ID="ID_DENY_D_164" FriendlyName="PowerShell 164" Hash="D7685E259D0328937487856A3AB68B6D9D420DD4E02541F4D71164DFA65B4644"/>
    <Deny ID="ID_DENY_D_165" FriendlyName="PowerShell 165" Hash="FBA274406B503B464B349805149E6AA722909CC9"/>
    <Deny ID="ID_DENY_D_166" FriendlyName="PowerShell 166" Hash="FEBC97ED819C79E54157895457DBA755F182D6330A5103E0663AFA07E01E5CF8"/>
    <Deny ID="ID_DENY_D_167" FriendlyName="PowerShell 167" Hash="293AF426A39282770387F5EE25CA719A91419A18"/>
    <Deny ID="ID_DENY_D_168" FriendlyName="PowerShell 168" Hash="A9E655A96A124BC361D9CC5C7663FC033AA6F6609916EFAA76B6A6E9713A0D32"/>
    <Deny ID="ID_DENY_D_169" FriendlyName="PowerShell 169" Hash="AEBFE7497F4A1947B5CB32650843CA0F85BD56D0"/>
    <Deny ID="ID_DENY_D_170" FriendlyName="PowerShell 170" Hash="8C385B2C16136C097C96701D2140E014BF454CFA7297BE0C28431DED15339C0F"/>
    <Deny ID="ID_DENY_D_171" FriendlyName="PowerShell 171" Hash="8FB604CD72701B83BC265D87F52B36C6F14E5DBE"/>
    <Deny ID="ID_DENY_D_172" FriendlyName="PowerShell 172" Hash="B35AFBA7A897CB882C14A08AFB36A8EC938BDA14DF070234A2CCBDBA8F7DF91C"/>
    <Deny ID="ID_DENY_D_173" FriendlyName="PowerShell 173" Hash="CE70309DB83C9202F45028EBEC252747F4936E6F"/>
    <Deny ID="ID_DENY_D_174" FriendlyName="PowerShell 174" Hash="1F6D74FDA1F9EE6BBAC72E7E717A01B9FFC29822561D11175F6809D12215B4ED"/>
    <Deny ID="ID_DENY_D_175" FriendlyName="PowerShell 175" Hash="9D71AD914DBB2FDF793742AA63AEEF4E4A430790"/>
    <Deny ID="ID_DENY_D_176" FriendlyName="PowerShell 176" Hash="8CC1B5FA9A9609AC811F6505FA9B68E85A87BAE1EF676EFFE1BE438EACBDF3E1"/>
    <Deny ID="ID_DENY_D_177" FriendlyName="PowerShell 177" Hash="7484FD78A9298DBA24AC5C882D16DB6146E53712"/>
    <Deny ID="ID_DENY_D_178" FriendlyName="PowerShell 178" Hash="A79A74BFB768312E8EE089060C5C3238D59EF0C044A450FEB97DCA26815ECB34"/>
    <Deny ID="ID_DENY_D_179" FriendlyName="PowerShell 179" Hash="78C3C6AEF52A6A5392C55F1EC98AF18053B3087D"/>
    <Deny ID="ID_DENY_D_180" FriendlyName="PowerShell 180" Hash="493B620FCAD8A91D1FD7C726697E09358CA90822E8D6E021DF56E70B46F7C346"/>
    <Deny ID="ID_DENY_D_181" FriendlyName="PowerShell 181" Hash="783FFB771F08BCF55C2EA474B5460EB65EA9444C"/>
    <Deny ID="ID_DENY_D_182" FriendlyName="PowerShell 182" Hash="09DA1592B8457F860297821EB7FAA7F3BB71FC1916ED5DEE6D85044953640D5C"/>
    <Deny ID="ID_DENY_D_183" FriendlyName="PowerShell 183" Hash="B303D1689ED99613E4F52CE6E5F96AAEBC3A45C3"/>
    <Deny ID="ID_DENY_D_184" FriendlyName="PowerShell 184" Hash="82AB406FD78DCF58F65DC14D6FDDD72840015F3FE5B554428969BECA0325CD9C"/>
    <Deny ID="ID_DENY_D_185" FriendlyName="PowerShell 185" Hash="DB5C6CB23C23BA6A3CD4FD4EC0A4DAEE3FC66500"/>
    <Deny ID="ID_DENY_D_186" FriendlyName="PowerShell 186" Hash="9A46C16C5151D97A0EFA3EA503249E31A6D5D8D25E4F07CD4E5E077A574713FB"/>
    <Deny ID="ID_DENY_D_187" FriendlyName="PowerShell 187" Hash="C1E08AD32F680100C51F138C6C095139E7230C3B"/>
    <Deny ID="ID_DENY_D_188" FriendlyName="PowerShell 188" Hash="A5D5C1F79CD26216194D4C72DBAA3E48CB4A143D9E1F78819E52E9FEB2AD0AE3"/>
    <Deny ID="ID_DENY_D_189" FriendlyName="PowerShell 189" Hash="BACA825D0852E2D8F3D92381D112B99B5DD56D9F"/>
    <Deny ID="ID_DENY_D_190" FriendlyName="PowerShell 190" Hash="ABA28E0FC251E1D7FE5E264E1B36EC5E482D70AA434E75A756356F23F0C1F2F4"/>
    <Deny ID="ID_DENY_D_191" FriendlyName="PowerShell 191" Hash="E89C29D38F554F6CB73B5FD3D0A783CC12FFEBC3"/>
    <Deny ID="ID_DENY_D_192" FriendlyName="PowerShell 192" Hash="4C93CBDCF4328D27681453D8DFD7495955A07EE6A0EFB9A593853A86990CF528"/>
    <Deny ID="ID_DENY_D_193" FriendlyName="PowerShell 193" Hash="5B5E7942233D7C8A325A429FC4F4AE281325E8F9"/>
    <Deny ID="ID_DENY_D_194" FriendlyName="PowerShell 194" Hash="40DA20086ED76A5EA5F62901D110216EE206E7EEB2F2BFF02F61D0BE85B0BB5A"/>
    <Deny ID="ID_DENY_D_195" FriendlyName="PowerShell 195" Hash="926DCACC6983F85A8ABBCB5EE13F3C756705A1D5"/>
    <Deny ID="ID_DENY_D_196" FriendlyName="PowerShell 196" Hash="A22761E2BF18F02BB630962E3C5E32738770AAEA77F8EDA233E77792EB480072"/>
    <Deny ID="ID_DENY_D_197" FriendlyName="PowerShell 197" Hash="6FE6723A355DEB4BC6B8637A634D1B43AFA64112"/>
    <Deny ID="ID_DENY_D_198" FriendlyName="PowerShell 198" Hash="9BCC55A97A275F7D81110877F1BB5B41F86A848EA02B4EE1E1E6A44D927A488F"/>
    <Deny ID="ID_DENY_D_199" FriendlyName="PowerShell 199" Hash="8D5599B34BED4A660DACC0922F6C2F112F264758"/>
    <Deny ID="ID_DENY_D_200" FriendlyName="PowerShell 200" Hash="F375014915E5E027F697B29201362B56F2D9E598247C96F86ABADCC6FF42F034"/>
    <Deny ID="ID_DENY_D_201" FriendlyName="PowerShell 201" Hash="CCFB247A3BCA9C64D82F647F3D30A3172E645F13"/>
    <Deny ID="ID_DENY_D_202" FriendlyName="PowerShell 202" Hash="5E52ABBC051368315F078D31F01B0C1B904C1DDB6D1C1E4A91BE276BDF44C66F"/>
    <Deny ID="ID_DENY_D_203" FriendlyName="PowerShell 203" Hash="E8EB859531F426CC45A3CB9118F399C92054563E"/>
    <Deny ID="ID_DENY_D_204" FriendlyName="PowerShell 204" Hash="CD9E1D41F8D982F4AA6C610A2EFEAEBA5B0CDD883DF4A86FA0180ACD333CAA86"/>
    <Deny ID="ID_DENY_D_205" FriendlyName="PowerShell 205" Hash="C92D4EAC917EE4842A437C54F96D87F003199DE8"/>
    <Deny ID="ID_DENY_D_206" FriendlyName="PowerShell 206" Hash="3A270242EB49E06405FD654FA4954B166297BBC886891C64B4424134C39872DB"/>
    <Deny ID="ID_DENY_D_207" FriendlyName="PowerShell 207" Hash="66681D9171981216B31996429695931DA2A638B9"/>
    <Deny ID="ID_DENY_D_208" FriendlyName="PowerShell 208" Hash="7A2DF7D56912CB4EB5B36D071496EDC97661086B0E4C9CC5D9C61779A5A7DAAA"/>
    <Deny ID="ID_DENY_D_209" FriendlyName="PowerShell 209" Hash="9DCA54C85E4C645CB296FE3055E90255B6506A95"/>
    <Deny ID="ID_DENY_D_210" FriendlyName="PowerShell 210" Hash="8C9C58AD12FE61CBF021634EC6A4B3094750FC002DA224423E0BCEB01ECF292A"/>
    <Deny ID="ID_DENY_D_211" FriendlyName="PowerShell 211" Hash="3AF2587E8B62F88DC363D7F5308EE4C1A6147338"/>
    <Deny ID="ID_DENY_D_212" FriendlyName="PowerShell 212" Hash="D32D88F158FD341E32708CCADD48C426D227D0EC8465FF4304C7B7EAC2C6A93E"/>
    <Deny ID="ID_DENY_D_213" FriendlyName="PowerShell 213" Hash="D3D453EBC368DF7CC2200474035E5898B58D93F1"/>
    <Deny ID="ID_DENY_D_214" FriendlyName="PowerShell 214" Hash="BBE569BCC282B3AF682C1528D4E3BC53C1A0C6B5905FA34ADB4305160967B64A"/>
    <Deny ID="ID_DENY_D_215" FriendlyName="PowerShell 215" Hash="D147CE5C7E7037D1BE3C0AF67EDB6F528C77DB0A"/>
    <Deny ID="ID_DENY_D_216" FriendlyName="PowerShell 216" Hash="11F936112832738AD9B3A1C67537D5542DE8E86856CF2A5893C4D26CF3A2C558"/>
    <Deny ID="ID_DENY_D_217" FriendlyName="PowerShell 217" Hash="7DBB41B87FAA887DE456C8E6A72E09D2839FA1E7"/>
    <Deny ID="ID_DENY_D_218" FriendlyName="PowerShell 218" Hash="3741F3D2F264E047339C95A66085599A49766DEF1C5BD0C32237CE87FA0B41FB"/>
    <Deny ID="ID_DENY_D_219" FriendlyName="PowerShell 219" Hash="5F3AECC89BAF094EAFA3C25E6B883EE68A6F00B0"/>
    <Deny ID="ID_DENY_D_220" FriendlyName="PowerShell 220" Hash="AA085BE6498D2E3F527F3D72A5D1C604508133F0CDC05AD404BB49E8E3FB1A1B"/>
    <Deny ID="ID_DENY_D_221" FriendlyName="PowerShell 221" Hash="DDE4D9A08514347CDE706C42920F43523FC74DEA"/>
    <Deny ID="ID_DENY_D_222" FriendlyName="PowerShell 222" Hash="81835C6294B96282A4D7D70383BBF797C2E4E7CEF99648F85DDA50F7F41B02F6"/>
    <Deny ID="ID_DENY_D_223" FriendlyName="PowerShell 223" Hash="48092864C96C4BF9B68B5006EAEDAB8B57B3738C"/>
    <Deny ID="ID_DENY_D_224" FriendlyName="PowerShell 224" Hash="36EF3BED9A5D0D563BCB354BFDD2931F6256759D1D905BA5DC21CDA496F2FEB7"/>
    <Deny ID="ID_DENY_D_225" FriendlyName="PowerShell 225" Hash="7F6725BA8CCD2DAEEFD0C9590A5DF9D98642CCEA"/>
    <Deny ID="ID_DENY_D_226" FriendlyName="PowerShell 226" Hash="DB68DB3AE32A8A662AA6EE16CF459124D2701719D019B614CE9BF115F5F9C904"/>
    <Deny ID="ID_DENY_D_227" FriendlyName="PowerShell 227" Hash="FF205856A3209227D571EAD4B8C1E611E7FF9924"/>
    <Deny ID="ID_DENY_D_228" FriendlyName="PowerShell 228" Hash="A63B38CE17DA60C4C431FC42C4507A0B7C19B384AC9E121E2988AD026E71ED63"/>
    <Deny ID="ID_DENY_D_229" FriendlyName="PowerShell 229" Hash="479C9429691314D3E21E4F4CA8B95D5BD2BDDEDA"/>
    <Deny ID="ID_DENY_D_230" FriendlyName="PowerShell 230" Hash="2BA4E369D267A9ABDEBA50DA2CB5FC56A8EE4382C5BCFCFFD121350B88A6F0E1"/>
    <Deny ID="ID_DENY_D_231" FriendlyName="PowerShell 231" Hash="C7D70B96440D215173F35412D56CF9329886D8D3"/>
    <Deny ID="ID_DENY_D_232" FriendlyName="PowerShell 232" Hash="B00C54F1AA77D88335675EAF07ED834E68FD96DD7606914C2867F9C506AB0A56"/>
    <Deny ID="ID_DENY_D_233" FriendlyName="PowerShell 233" Hash="2AB804E1FF982AE0EDB591BC61AA909CF32E99C5"/>
    <Deny ID="ID_DENY_D_234" FriendlyName="PowerShell 234" Hash="253120422B0DD987C293CAF5928FA820414C0A01622FD0EAF304A750FC5AEEFE"/>
    <Deny ID="ID_DENY_D_235" FriendlyName="PowerShell 235" Hash="8DAB1D74CAEDBAA8D17805CF00D64A44F5831C12"/>
    <Deny ID="ID_DENY_D_236" FriendlyName="PowerShell 236" Hash="AC1CE3AA9023E23F2F63D5A3536294B914686057336402E059DEF6559D1CE723"/>
    <Deny ID="ID_DENY_D_237" FriendlyName="PowerShell 237" Hash="993425279D204D1D14C3EB989DEB4805ADC558CF"/>
    <Deny ID="ID_DENY_D_238" FriendlyName="PowerShell 238" Hash="BDADDD710E47EB8D24B78E542F3996B0EA2CA577ABD515785819302DB15839DD"/>
    <Deny ID="ID_DENY_D_239" FriendlyName="PowerShell 239" Hash="F4DB0CDF3A3FD163A9B90789CC6D14D326AD609C"/>
    <Deny ID="ID_DENY_D_240" FriendlyName="PowerShell 240" Hash="5D249D8366077713024552CA8D08F164E975AFF89E8909E35A43F02B0DC66F70"/>
    <Deny ID="ID_DENY_D_241" FriendlyName="PowerShell 241" Hash="5B8E45EECA32C2F0968C2252229D768B0DB796A0"/>
    <Deny ID="ID_DENY_D_242" FriendlyName="PowerShell 242" Hash="B4D336B32C27E3D3FEBE4B06252DDE9683814E7E903C98448972AAB7389DFC02"/>
    <Deny ID="ID_DENY_D_243" FriendlyName="PowerShell 243" Hash="4F5D66B449C4D2FDEA532F9B5DBECA5ACA8195EF"/>
    <Deny ID="ID_DENY_D_244" FriendlyName="PowerShell 244" Hash="39F2F19A5C6708CE8CE4E1ABBEBA8D3D1A6220391CA86B2D319E347B46005C97"/>
    <Deny ID="ID_DENY_D_245" FriendlyName="PowerShell 245" Hash="4BFB3F95CA1B79DA3C6B0A2ECB432059E686F967"/>
    <Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
    <Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
    <Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
    <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="DED853481A176999723413685A79B36DD0F120F9" />
    <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="D027E09D9D9828A87701288EFC91D240C0DEC2C3" />
    <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="46936F4F0AFE4C87D2E55595F74DDDFFC9AD94EE" />
    <Deny ID="ID_DENY_D_4" FriendlyName="Powershell 4" Hash="5090F22BB9C0B168C7F5E9E800784A05AFCCBC4F" />
    <Deny ID="ID_DENY_D_5" FriendlyName="Powershell 5" Hash="A920D0706FCEA648D28638E9198BCC368996B8FD" />
    <Deny ID="ID_DENY_D_6" FriendlyName="Powershell 6" Hash="93E22F2BA6C8B1C09F100F9C0E3B06FAF2D1DDB6" />
    <Deny ID="ID_DENY_D_7" FriendlyName="Powershell 7" Hash="943E307BE7B0B381715CA5CC0FAB7B558025BA80" />
    <Deny ID="ID_DENY_D_8" FriendlyName="Powershell 8" Hash="DE6A02520E1D7325025F2761A97D36E407E8490C" />
    <Deny ID="ID_DENY_D_9" FriendlyName="Powershell 9" Hash="CC968868EDC6718DA14DDDB11228A04D5D5BD9A5" />
    <Deny ID="ID_DENY_D_10" FriendlyName="Powershell 10" Hash="789D0657689DB6F0900A787BEF52A449585A92B5" />
    <Deny ID="ID_DENY_D_11" FriendlyName="Powershell 11" Hash="F29A958287788A6EEDE6035D49EF5CB85EEC40D214FDDE5A0C6CAA65AFC00EEC" />
    <Deny ID="ID_DENY_D_12" FriendlyName="Powershell 12" Hash="84BB081141DA50B3839CD275FF34854F53AECB96CA9AEB8BCD24355C33C1E73E" />
    <Deny ID="ID_DENY_D_13" FriendlyName="Powershell 13" Hash="8D396FEAEED1F0CA709B62B1F27EDC9CCEFF95E3473C923624362A042E91D787" />
    <Deny ID="ID_DENY_D_14" FriendlyName="Powershell 14" Hash="7BF44433D3A606104778F64B11B92C52FC99C4BA570C50B70438275D0B587B8E" />
    <Deny ID="ID_DENY_D_15" FriendlyName="Powershell 15" Hash="6B3CB996EC5129D345830C3D6D5C7C009372FFD9F08837E8B2572AB31E9648A5" />
    <Deny ID="ID_DENY_D_16" FriendlyName="Powershell 16" Hash="C3A5DAB20947CA8FD092E75C25177E7BAE7884CA58710F14827144C09EA1F94B" />
    <Deny ID="ID_DENY_D_17" FriendlyName="Powershell 17" Hash="BE3FFE10CDE8B62C3E8FD4D8198F272B6BD15364A33362BB07A0AFF6731DABA1" />
    <Deny ID="ID_DENY_D_18" FriendlyName="Powershell 18" Hash="75288A0CF0806A68D8DA721538E64038D755BBE74B52F4B63FEE5049AE868AC0" />
    <Deny ID="ID_DENY_D_19" FriendlyName="Powershell 19" Hash="F875E43E12685ECE0BA2D42D55A13798CE9F1FFDE3CAE253D2529F4304811A52" />
    <Deny ID="ID_DENY_D_20" FriendlyName="Powershell 20" Hash="6D89FDD29D50C07801FB01F031CDB96E2E14288F066BD895356AE0517ABB09CE" />
    <Deny ID="ID_DENY_D_21" FriendlyName="Powershell 21" Hash="326669C4A31E2049E3750BCF4287241BB8B555B3670D31A1ACA74C3AC598DF81" />
    <Deny ID="ID_DENY_D_22" FriendlyName="Powershell 22" Hash="38DC1956313B160696A172074C6F5DA9852BF508F55AFB7FA079B98F2849AFB5" />
    <Deny ID="ID_DENY_D_23" FriendlyName="Powershell 23" Hash="C6C073A80A8E76DC13E724B5E66FE4035A19CCA0C1AF3FABBC18E5185D1B66CB" />
    <Deny ID="ID_DENY_D_24" FriendlyName="Powershell 24" Hash="9EA4BD3D8FB8F490E8099E0412F091E545AF028E3C4CAF179324B679124D1742" />
    <Deny ID="ID_DENY_D_25" FriendlyName="Powershell 25" Hash="CD83C3C293EC4D24D3328C74881FA04AAF9CCF73E099631A9EB100BD0F384F58" />
    <Deny ID="ID_DENY_D_26" FriendlyName="Powershell 26" Hash="74E207F539C4EAC648A5507EB158AEE9F6EA401E51808E83E73709CFA0820FDD" />
    <Deny ID="ID_DENY_D_27" FriendlyName="Powershell 27" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40" />
    <Deny ID="ID_DENY_D_28" FriendlyName="Powershell 28" Hash="72E4EC687CFE357F3E681A7500B6FF009717A2E9538956908D3B52B9C865C189" />
    <Deny ID="ID_DENY_D_29" FriendlyName="Powershell 29" Hash="F16E605B55774CDFFDB0EB99FAFF43A40622ED2AB1C011D1195878F4B20030BC" />
    <Deny ID="ID_DENY_D_30" FriendlyName="Powershell 30" Hash="BD3139CE7553AC7003C96304F08EAEC2CDB2CC6A869D36D6F1E478DA02D3AA16" />
    <Deny ID="ID_DENY_D_31" FriendlyName="Powershell 31" Hash="71FC552E66327EDAA72D72C362846BD80CB65EECFAE95C4D790C9A2330D95EE6" />
    <Deny ID="ID_DENY_D_32" FriendlyName="Powershell 32" Hash="A1D1AF7675C2596D0DF977F57B54372298A56EE0F3E1FF2D974D387D7F69DD4E" />
    <Deny ID="ID_DENY_D_33" FriendlyName="Powershell 33" Hash="0D905709AB1174F8E12A063F259A52DABE85CAEB8018985F5411F1CE9C6C99C3" />
    <Deny ID="ID_DENY_D_34" FriendlyName="Powershell 34" Hash="939C291D4A2592209EC7664EC832670FA0AC1009F974F47489D866751F4B862F" />
  </FileRules>
  <!--Signers-->
  <Signers />
@ -178,21 +402,21 @@ Microsoft recommends that you block the following Microsoft-signed applications
          <FileRuleRef RuleID="ID_DENY_BGINFO"/>
          <FileRuleRef RuleID="ID_DENY_CBD"/>
          <FileRuleRef RuleID="ID_DENY_KD"/>
-          <FileRuleRef RuleID="ID_DENY_NTKD"/>
+          <FileRuleRef RuleID="ID_DENY_NTKD" />
-          <FileRuleRef RuleID="ID_DENY_WINDBG"/>
+          <FileRuleRef RuleID="ID_DENY_WINDBG" />
-          <FileRuleRef RuleID="ID_DENY_MSBUILD"/>
+          <FileRuleRef RuleID="ID_DENY_MSBUILD" />
-          <FileRuleRef RuleID="ID_DENY_CSI"/>
+          <FileRuleRef RuleID="ID_DENY_CSI" />
-          <FileRuleRef RuleID="ID_DENY_DBGHOST"/>
+          <FileRuleRef RuleID="ID_DENY_DBGHOST" />
-          <FileRuleRef RuleID="ID_DENY_DBGSVC"/>
+          <FileRuleRef RuleID="ID_DENY_DBGSVC" />
-          <FileRuleRef RuleID="ID_DENY_DNX"/>
+          <FileRuleRef RuleID="ID_DENY_DNX" />
-          <FileRuleRef RuleID="ID_DENY_RCSI"/>
+          <FileRuleRef RuleID="ID_DENY_RCSI" />
-          <FileRuleRef RuleID="ID_DENY_NTSD"/>
+          <FileRuleRef RuleID="ID_DENY_NTSD" />
-          <FileRuleRef RuleID="ID_DENY_LXSS"/>
+          <FileRuleRef RuleID="ID_DENY_LXSS" />
-          <FileRuleRef RuleID="ID_DENY_BASH"/>
+          <FileRuleRef RuleID="ID_DENY_BASH" />
-          <FileRuleRef RuleID="ID_DENY_FSI"/>
+          <FileRuleRef RuleID="ID_DENY_FSI" />
-          <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
+          <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
-          <FileRuleRef RuleID="ID_DENY_MSHTA"/>
+          <FileRuleRef RuleID="ID_DENY_MSHTA" />
-          <FileRuleRef RuleID="ID_DENY_SMA"/>
+          <FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
          <FileRuleRef RuleID="ID_DENY_D_1" />
          <FileRuleRef RuleID="ID_DENY_D_2" />
          <FileRuleRef RuleID="ID_DENY_D_3" />
@ -219,14 +443,228 @@ Microsoft recommends that you block the following Microsoft-signed applications
          <FileRuleRef RuleID="ID_DENY_D_24" />
          <FileRuleRef RuleID="ID_DENY_D_25" />
          <FileRuleRef RuleID="ID_DENY_D_26" />
-          <FileRuleRef RuleID="ID_DENY_D_27" />
+          <FileRuleRef RuleID="ID_DENY_D_27"/>
-          <FileRuleRef RuleID="ID_DENY_D_28" />
+          <FileRuleRef RuleID="ID_DENY_D_28"/>
-          <FileRuleRef RuleID="ID_DENY_D_29" />
+          <FileRuleRef RuleID="ID_DENY_D_29"/>
-          <FileRuleRef RuleID="ID_DENY_D_30" />
+          <FileRuleRef RuleID="ID_DENY_D_30"/>
-          <FileRuleRef RuleID="ID_DENY_D_31" />
+          <FileRuleRef RuleID="ID_DENY_D_31"/>
-          <FileRuleRef RuleID="ID_DENY_D_32" />
+          <FileRuleRef RuleID="ID_DENY_D_32"/>
-          <FileRuleRef RuleID="ID_DENY_D_33" />
+          <FileRuleRef RuleID="ID_DENY_D_33"/>
-          <FileRuleRef RuleID="ID_DENY_D_34" />
+          <FileRuleRef RuleID="ID_DENY_D_34"/>
          <FileRuleRef RuleID="ID_DENY_D_35"/>
          <FileRuleRef RuleID="ID_DENY_D_36"/>
          <FileRuleRef RuleID="ID_DENY_D_37"/>
          <FileRuleRef RuleID="ID_DENY_D_38"/>
          <FileRuleRef RuleID="ID_DENY_D_39"/>
          <FileRuleRef RuleID="ID_DENY_D_40"/>
          <FileRuleRef RuleID="ID_DENY_D_41"/>
          <FileRuleRef RuleID="ID_DENY_D_42"/>
          <FileRuleRef RuleID="ID_DENY_D_43"/>
          <FileRuleRef RuleID="ID_DENY_D_44"/>
          <FileRuleRef RuleID="ID_DENY_D_45"/>
          <FileRuleRef RuleID="ID_DENY_D_46"/>
          <FileRuleRef RuleID="ID_DENY_D_47"/>
          <FileRuleRef RuleID="ID_DENY_D_48"/>
          <FileRuleRef RuleID="ID_DENY_D_49"/>
          <FileRuleRef RuleID="ID_DENY_D_50"/>
          <FileRuleRef RuleID="ID_DENY_D_51"/>
          <FileRuleRef RuleID="ID_DENY_D_52"/>
          <FileRuleRef RuleID="ID_DENY_D_53"/>
          <FileRuleRef RuleID="ID_DENY_D_54"/>
          <FileRuleRef RuleID="ID_DENY_D_55"/>
          <FileRuleRef RuleID="ID_DENY_D_56"/>
          <FileRuleRef RuleID="ID_DENY_D_57"/>
          <FileRuleRef RuleID="ID_DENY_D_58"/>
          <FileRuleRef RuleID="ID_DENY_D_59"/>
          <FileRuleRef RuleID="ID_DENY_D_60"/>
          <FileRuleRef RuleID="ID_DENY_D_61"/>
          <FileRuleRef RuleID="ID_DENY_D_62"/>
          <FileRuleRef RuleID="ID_DENY_D_63"/>
          <FileRuleRef RuleID="ID_DENY_D_64"/>
          <FileRuleRef RuleID="ID_DENY_D_65"/>
          <FileRuleRef RuleID="ID_DENY_D_66"/>
          <FileRuleRef RuleID="ID_DENY_D_67"/>
          <FileRuleRef RuleID="ID_DENY_D_68"/>
          <FileRuleRef RuleID="ID_DENY_D_69"/>
          <FileRuleRef RuleID="ID_DENY_D_70"/>
          <FileRuleRef RuleID="ID_DENY_D_71"/>
          <FileRuleRef RuleID="ID_DENY_D_72"/>
          <FileRuleRef RuleID="ID_DENY_D_73"/>
          <FileRuleRef RuleID="ID_DENY_D_74"/>
          <FileRuleRef RuleID="ID_DENY_D_75"/>
          <FileRuleRef RuleID="ID_DENY_D_76"/>
          <FileRuleRef RuleID="ID_DENY_D_77"/>
          <FileRuleRef RuleID="ID_DENY_D_78"/>
          <FileRuleRef RuleID="ID_DENY_D_79"/>
          <FileRuleRef RuleID="ID_DENY_D_80"/>
          <FileRuleRef RuleID="ID_DENY_D_81"/>
          <FileRuleRef RuleID="ID_DENY_D_82"/>
          <FileRuleRef RuleID="ID_DENY_D_83"/>
          <FileRuleRef RuleID="ID_DENY_D_84"/>
          <FileRuleRef RuleID="ID_DENY_D_85"/>
          <FileRuleRef RuleID="ID_DENY_D_86"/>
          <FileRuleRef RuleID="ID_DENY_D_87"/>
          <FileRuleRef RuleID="ID_DENY_D_88"/>
          <FileRuleRef RuleID="ID_DENY_D_89"/>
          <FileRuleRef RuleID="ID_DENY_D_90"/>
          <FileRuleRef RuleID="ID_DENY_D_91"/>
          <FileRuleRef RuleID="ID_DENY_D_92"/>
          <FileRuleRef RuleID="ID_DENY_D_93"/>
          <FileRuleRef RuleID="ID_DENY_D_94"/>
          <FileRuleRef RuleID="ID_DENY_D_95"/>
          <FileRuleRef RuleID="ID_DENY_D_96"/>
          <FileRuleRef RuleID="ID_DENY_D_97"/>
          <FileRuleRef RuleID="ID_DENY_D_98"/>
          <FileRuleRef RuleID="ID_DENY_D_99"/>
          <FileRuleRef RuleID="ID_DENY_D_100"/>
          <FileRuleRef RuleID="ID_DENY_D_101"/>
          <FileRuleRef RuleID="ID_DENY_D_102"/>
          <FileRuleRef RuleID="ID_DENY_D_103"/>
          <FileRuleRef RuleID="ID_DENY_D_104"/>
          <FileRuleRef RuleID="ID_DENY_D_105"/>
          <FileRuleRef RuleID="ID_DENY_D_106"/>
          <FileRuleRef RuleID="ID_DENY_D_107"/>
          <FileRuleRef RuleID="ID_DENY_D_108"/>
          <FileRuleRef RuleID="ID_DENY_D_109"/>
          <FileRuleRef RuleID="ID_DENY_D_110"/>
          <FileRuleRef RuleID="ID_DENY_D_111"/>
          <FileRuleRef RuleID="ID_DENY_D_112"/>
          <FileRuleRef RuleID="ID_DENY_D_113"/>
          <FileRuleRef RuleID="ID_DENY_D_114"/>
          <FileRuleRef RuleID="ID_DENY_D_115"/>
          <FileRuleRef RuleID="ID_DENY_D_116"/>
          <FileRuleRef RuleID="ID_DENY_D_117"/>
          <FileRuleRef RuleID="ID_DENY_D_118"/>
          <FileRuleRef RuleID="ID_DENY_D_119"/>
          <FileRuleRef RuleID="ID_DENY_D_120"/>
          <FileRuleRef RuleID="ID_DENY_D_121"/>
          <FileRuleRef RuleID="ID_DENY_D_122"/>
          <FileRuleRef RuleID="ID_DENY_D_123"/>
          <FileRuleRef RuleID="ID_DENY_D_124"/>
          <FileRuleRef RuleID="ID_DENY_D_125"/>
          <FileRuleRef RuleID="ID_DENY_D_126"/>
          <FileRuleRef RuleID="ID_DENY_D_127"/>
          <FileRuleRef RuleID="ID_DENY_D_128"/>
          <FileRuleRef RuleID="ID_DENY_D_129"/>
          <FileRuleRef RuleID="ID_DENY_D_130"/>
          <FileRuleRef RuleID="ID_DENY_D_131"/>
          <FileRuleRef RuleID="ID_DENY_D_132"/>
          <FileRuleRef RuleID="ID_DENY_D_133"/>
          <FileRuleRef RuleID="ID_DENY_D_134"/>
          <FileRuleRef RuleID="ID_DENY_D_135"/>
          <FileRuleRef RuleID="ID_DENY_D_136"/>
          <FileRuleRef RuleID="ID_DENY_D_137"/>
          <FileRuleRef RuleID="ID_DENY_D_138"/>
          <FileRuleRef RuleID="ID_DENY_D_139"/>
          <FileRuleRef RuleID="ID_DENY_D_140"/>
          <FileRuleRef RuleID="ID_DENY_D_141"/>
          <FileRuleRef RuleID="ID_DENY_D_142"/>
          <FileRuleRef RuleID="ID_DENY_D_143"/>
          <FileRuleRef RuleID="ID_DENY_D_144"/>
          <FileRuleRef RuleID="ID_DENY_D_145"/>
          <FileRuleRef RuleID="ID_DENY_D_146"/>
          <FileRuleRef RuleID="ID_DENY_D_147"/>
          <FileRuleRef RuleID="ID_DENY_D_148"/>
          <FileRuleRef RuleID="ID_DENY_D_149"/>
          <FileRuleRef RuleID="ID_DENY_D_150"/>
          <FileRuleRef RuleID="ID_DENY_D_151"/>
          <FileRuleRef RuleID="ID_DENY_D_152"/>
          <FileRuleRef RuleID="ID_DENY_D_153"/>
          <FileRuleRef RuleID="ID_DENY_D_154"/>
          <FileRuleRef RuleID="ID_DENY_D_155"/>
          <FileRuleRef RuleID="ID_DENY_D_156"/>
          <FileRuleRef RuleID="ID_DENY_D_157"/>
          <FileRuleRef RuleID="ID_DENY_D_158"/>
          <FileRuleRef RuleID="ID_DENY_D_159"/>
          <FileRuleRef RuleID="ID_DENY_D_160"/>
          <FileRuleRef RuleID="ID_DENY_D_161"/>
          <FileRuleRef RuleID="ID_DENY_D_162"/>
          <FileRuleRef RuleID="ID_DENY_D_163"/>
          <FileRuleRef RuleID="ID_DENY_D_164"/>
          <FileRuleRef RuleID="ID_DENY_D_165"/>
          <FileRuleRef RuleID="ID_DENY_D_166"/>
          <FileRuleRef RuleID="ID_DENY_D_167"/>
          <FileRuleRef RuleID="ID_DENY_D_168"/>
          <FileRuleRef RuleID="ID_DENY_D_169"/>
          <FileRuleRef RuleID="ID_DENY_D_170"/>
          <FileRuleRef RuleID="ID_DENY_D_171"/>
          <FileRuleRef RuleID="ID_DENY_D_172"/>
          <FileRuleRef RuleID="ID_DENY_D_173"/>
          <FileRuleRef RuleID="ID_DENY_D_174"/>
          <FileRuleRef RuleID="ID_DENY_D_175"/>
          <FileRuleRef RuleID="ID_DENY_D_176"/>
          <FileRuleRef RuleID="ID_DENY_D_177"/>
          <FileRuleRef RuleID="ID_DENY_D_178"/>
          <FileRuleRef RuleID="ID_DENY_D_179"/>
          <FileRuleRef RuleID="ID_DENY_D_180"/>
          <FileRuleRef RuleID="ID_DENY_D_181"/>
          <FileRuleRef RuleID="ID_DENY_D_182"/>
          <FileRuleRef RuleID="ID_DENY_D_183"/>
          <FileRuleRef RuleID="ID_DENY_D_184"/>
          <FileRuleRef RuleID="ID_DENY_D_185"/>
          <FileRuleRef RuleID="ID_DENY_D_186"/>
          <FileRuleRef RuleID="ID_DENY_D_187"/>
          <FileRuleRef RuleID="ID_DENY_D_188"/>
          <FileRuleRef RuleID="ID_DENY_D_189"/>
          <FileRuleRef RuleID="ID_DENY_D_190"/>
          <FileRuleRef RuleID="ID_DENY_D_191"/>
          <FileRuleRef RuleID="ID_DENY_D_192"/>
          <FileRuleRef RuleID="ID_DENY_D_193"/>
          <FileRuleRef RuleID="ID_DENY_D_194"/>
          <FileRuleRef RuleID="ID_DENY_D_195"/>
          <FileRuleRef RuleID="ID_DENY_D_196"/>
          <FileRuleRef RuleID="ID_DENY_D_197"/>
          <FileRuleRef RuleID="ID_DENY_D_198"/>
          <FileRuleRef RuleID="ID_DENY_D_199"/>
          <FileRuleRef RuleID="ID_DENY_D_200"/>
          <FileRuleRef RuleID="ID_DENY_D_201"/>
          <FileRuleRef RuleID="ID_DENY_D_202"/>
          <FileRuleRef RuleID="ID_DENY_D_203"/>
          <FileRuleRef RuleID="ID_DENY_D_204"/>
          <FileRuleRef RuleID="ID_DENY_D_205"/>
          <FileRuleRef RuleID="ID_DENY_D_206"/>
          <FileRuleRef RuleID="ID_DENY_D_207"/>
          <FileRuleRef RuleID="ID_DENY_D_208"/>
          <FileRuleRef RuleID="ID_DENY_D_209"/>
          <FileRuleRef RuleID="ID_DENY_D_210"/>
          <FileRuleRef RuleID="ID_DENY_D_211"/>
          <FileRuleRef RuleID="ID_DENY_D_212"/>
          <FileRuleRef RuleID="ID_DENY_D_213"/>
          <FileRuleRef RuleID="ID_DENY_D_214"/>
          <FileRuleRef RuleID="ID_DENY_D_215"/>
          <FileRuleRef RuleID="ID_DENY_D_216"/>
          <FileRuleRef RuleID="ID_DENY_D_217"/>
          <FileRuleRef RuleID="ID_DENY_D_218"/>
          <FileRuleRef RuleID="ID_DENY_D_219"/>
          <FileRuleRef RuleID="ID_DENY_D_220"/>
          <FileRuleRef RuleID="ID_DENY_D_221"/>
          <FileRuleRef RuleID="ID_DENY_D_222"/>
          <FileRuleRef RuleID="ID_DENY_D_223"/>
          <FileRuleRef RuleID="ID_DENY_D_224"/>
          <FileRuleRef RuleID="ID_DENY_D_225"/>
          <FileRuleRef RuleID="ID_DENY_D_226"/>
          <FileRuleRef RuleID="ID_DENY_D_227"/>
          <FileRuleRef RuleID="ID_DENY_D_228"/>
          <FileRuleRef RuleID="ID_DENY_D_229"/>
          <FileRuleRef RuleID="ID_DENY_D_230"/>
          <FileRuleRef RuleID="ID_DENY_D_231"/>
          <FileRuleRef RuleID="ID_DENY_D_232"/>
          <FileRuleRef RuleID="ID_DENY_D_233"/>
          <FileRuleRef RuleID="ID_DENY_D_234"/>
          <FileRuleRef RuleID="ID_DENY_D_235"/>
          <FileRuleRef RuleID="ID_DENY_D_236"/>
          <FileRuleRef RuleID="ID_DENY_D_237"/>
          <FileRuleRef RuleID="ID_DENY_D_238"/>
          <FileRuleRef RuleID="ID_DENY_D_239"/>
          <FileRuleRef RuleID="ID_DENY_D_240"/>
          <FileRuleRef RuleID="ID_DENY_D_241"/>
          <FileRuleRef RuleID="ID_DENY_D_242"/>
          <FileRuleRef RuleID="ID_DENY_D_243"/>
          <FileRuleRef RuleID="ID_DENY_D_244"/>
          <FileRuleRef RuleID="ID_DENY_D_245"/>
          <FileRuleRef RuleID="ID_DENY_D_246"/>
          <FileRuleRef RuleID="ID_DENY_D_247"/>
          <FileRuleRef RuleID="ID_DENY_D_248"/>
        </FileRulesRef>
      </ProductSigners>
    </SigningScenario>
@ -253,7 +691,7 @@ To create a code integrity policy, copy each of the following commands into an e
    ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt `
-    > [!Notes] 
+    > [!Note] 
    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
@ -297,7 +735,7 @@ When code integrity policies are run in audit mode, it allows administrators to
    > [!Note]
-    > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
+    > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
    > - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
@ -464,15 +902,17 @@ Now that this policy is in enforced mode, you can deploy it to your test compute
 ## Signing code integrity policies with SignTool.exe
-Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed code integrity policies than unsigned ones. Before you sign and deploy a signed code integrity policy, we recommend that you audit the policy to discover any blocked applications that should be allowed to run. For more information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.
+Signed code integrity policies give organizations the highest level of malware protection available in Windows 10. 
 In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
 These policies are designed to prevent administrative tampering and kernel mode exploit access. 
 With this in mind, it is much more difficult to remove signed code integrity policies. 
 Before you sign and deploy a signed code integrity policy, we recommend that you [audit the policy](#audit-code-integrity-policies) to discover any blocked applications that should be allowed to run. 
-Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA. 
+Signing code integrity policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
 If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) to create one with your on-premises CA. 
 Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules."
 > [!Note] 
 > Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
 To sign a code integrity policy with SignTool.exe, you need the following components:
 -   SignTool.exe, found in the Windows SDK (Windows 7 or later)
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@ -16,7 +16,9 @@ author: brianlic-msft
 As you deploy code integrity policies (part of Windows Defender Device Guard), you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). 
-If you have not purchased a certificate but have an internal CA, complete these steps to create a code signing certificate:
+If you have an internal CA, complete these steps to create a code signing certificate. 
 Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. 
 ECDSA is not supported.
 1.  Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@ -136,6 +136,7 @@
 ### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
 ### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
 #### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
 ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@ -34,7 +34,7 @@ ms.date: 08/25/2017
 - Windows Defender Security Center app
-Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. 
+Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. 
 It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@ -82,19 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir
 > [!NOTE]
 > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
-**Use Group Policy to display additional, custom text in notifications:**
+See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus.md) topic for instructions to add cusomt contact information to the notifications that users see on their machines.
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 3.  In the **Group Policy Management Editor** go to **Computer configuration**.
 4.  Click **Policies** then **Administrative templates**.
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
 6.  Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. 
 7. Enter the additional text you want to be shown to users. Click **OK**. 
 **Use Group Policy to hide notifications:**
--- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
@ -0,0 +1,7 @@
 <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
    <title>Check mark no</title>
    <polygon 
        fill='#d83b01' 
        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
     />
 </svg>
--- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
@ -0,0 +1,7 @@
 <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
    <title>Check mark yes</title>
    <path
        fill='#0E8915' 
        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
    />
 </svg>
--- a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
+++ b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
--- a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
+++ b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
--- a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
+++ b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
--- a/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
+++ b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
--- a/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@ -0,0 +1,72 @@
 ---
 title: Enable the limited periodic scanning feature in Windows Defender AV
 description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
 keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
 ms.date: 10/02/2017
 ---
 # Use limited periodic scanning in Windows Defender AV
 **Applies to:**
 - Windows 10, version 1609
 **Audience**
 - Enterprise security administrators
 **Manageability available with**
 - Windows Defender Security Center app
 Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
 It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
 ## How to enable limited periodic scanning
 By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
 If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
 ![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
 If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
 ![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
 Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. 
 ![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
 Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
 ![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png)
 ## Related topics
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@ -15,7 +15,7 @@ ms.date: 09/07/2017
 ---
-# Windows Defender Antivirus and third party protection products
+# Windows Defender Antivirus compatibility
 **Applies to:**
@ -30,13 +30,11 @@ ms.date: 09/07/2017
 Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. 
+However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
 If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
-On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. See [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) topic for key differences and management options for Windows Server installations.
+The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used. 
 The following matrix illustrates how Windows Defender AV operates when third-party antivirus products or Windows Defender ATP are also used. 
 Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state
 -|-|-|-
@ -44,12 +42,19 @@ Windows 10 | A third-party product that is not offered or developed by Microsoft
 Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode
 Windows 10 | Windows Defender AV | Yes | Active mode
 Windows 10 | Windows Defender AV | No | Active mode
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode<sup>[[1](#fn1)]</sup>
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode<sup>[[1](#fn1)]<sup>
 Windows Server 2016 | Windows Defender AV | Yes | Active mode
 Windows Server 2016 | Windows Defender AV | No | Active mode
 (<a id="fn1">1</a>)  On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine.
 See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations.
 >[!IMPORTANT]
 >Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.  
 >  
@ -58,18 +63,19 @@ Windows Server 2016 | Windows Defender AV | No | Active mode
 >Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). 
 This table indicates the functionality and features that are available in each state:
 State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
 :-|:-|:-:|:-:|:-:|:-:|:-:
 Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] 
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-In the passive and automatic disabled modes, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
+Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
-The reasons for this are twofold:
+Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
-1. If you are enrolled in Windows Defender ATP, [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
 2. If the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, then Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. 
    Therefore, the Windows Defender AV service needs to update itself to ensure it has up-to-date protection coverage in case it needs to automatically enable itself.
    You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
 If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
@ -77,6 +83,8 @@ The reasons for this are twofold:
 >You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
 >  
 >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
 >
 >It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md).
 ## Related topics
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@ -87,6 +87,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
 You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
 This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/en-us/wdsi/help/antimalware-faq).
 >[!NOTE]
 >Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**. 
@ -144,8 +146,6 @@ By default, Windows Update does not download and install updates automatically o
 To ensure that protection from malware is maintained, we recommend that you enable the following services:
 -   Windows Defender Network Inspection service
 -   Windows Error Reporting service
 -   Windows Update service
@ -155,9 +155,8 @@ The following table lists the services for Windows Defender and the dependent se
 |Service Name|File Location|Description|
 |--------|---------|--------|
 |Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
 |Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
 |Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
-|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.|
 |Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
--- a/Show More
+++ b/Show More