Merge remote-tracking branch 'refs/remotes/origin/master' into Fixing-typos

windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
+localizationpriority: high
 ---
 
 # Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality

windows/keep-secure/create-and-verify-an-efs-dra-certificate.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 ---
 
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate

windows/keep-secure/create-vpn-and-wip-policy-using-intune.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune

windows/keep-secure/create-wip-policy-using-intune.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) policy using Microsoft Intune

windows/keep-secure/create-wip-policy-using-sccm.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager

windows/keep-secure/credential-guard.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 author: brianlic-msft
 ---
 # Protect derived domain credentials with Credential Guard
@@ -118,7 +119,7 @@ The PC must meet the following hardware and software requirements to use Credent
 </tr>
 <tr class="even">
 <td align="left"><p>Hypervisor</p></td>
-<td align="left"><p>Only the Windows hypervisor is supported.</p></td>
+<td align="left"><p>You must use the Windows hypervisor.</p></td>
 </tr>
 </tbody>
 </table>

windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md

@@ -4,6 +4,7 @@ description: This article describes how to deploy catalog files to support code
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md

@@ -4,6 +4,7 @@ description: This article provides information about two elements in code integr
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/deploy-code-integrity-policies-steps.md

@@ -4,6 +4,7 @@ description: This article describes how to deploy code integrity policies, one o
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md

@@ -4,6 +4,7 @@ description: This article, and the articles it links to, describe how to create
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md

@@ -4,6 +4,7 @@ description: This article describes how to enable virtualization-based security,
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/deploy-wip-policy-using-intune.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using Microsoft Intune

windows/keep-secure/device-guard-deployment-guide.md

@@ -5,6 +5,7 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/enlightened-microsoft-apps-and-wip.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)

windows/keep-secure/guidance-and-best-practices-wip.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # General guidance and best practices for Windows Information Protection (WIP)

windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md

@@ -4,6 +4,7 @@ description: Microsoft Device Guard is a feature set that consists of both hardw
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/mandatory-settings-for-wip.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)

windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md

@@ -4,6 +4,7 @@ description: This article describes how to create a code signing certificate for
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md

@@ -45,12 +45,12 @@ Where the bit flags are read from right to left and are defined as:
 
 |Flag |Bit location |Setting |Details |
 |-----|--------------|--------|--------|
-|A |0 |PROCESS_CREATION_MITIGATION_<br>POLICY_DEP_ENABLE (0x00000001) |Turns on Data Execution Prevention (DEP) for child processes. |
-|B |1 |PROCESS_CREATION_MITIGATION_<br>POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
-|C |2 |PROCESS_CREATION_MITIGATION_<br>POLICY_SEHOP_ENABLE (0x00000004) |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
-|D |8 |PROCESS_CREATION_MITIGATION_<br>POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren’t dynamic base compatible. Images without the base relocation section won’t be loaded if relocations are required. |
-|E |15 |PROCESS_CREATION_MITIGATION_<br>POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
-|F |16 |PROCESS_CREATION_MITIGATION_<br>POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+|A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
+|B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
+|C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
+|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren’t dynamic base compatible. Images without the base relocation section won’t be loaded if relocations are required. |
+|E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
+|F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
     
 ## Example
 If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you’d want to type a value of `???????????????0???????1???????1`.

windows/keep-secure/overview-create-wip-policy.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) policy

windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md

@@ -4,6 +4,7 @@ description: To help you plan and begin the initial test stages of a deployment
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/protect-enterprise-data-using-wip.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)

windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md

@@ -4,6 +4,7 @@ description: To help you plan a deployment of Microsoft Device Guard, this artic
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
+localizationpriority: high
 author: brianlic-msft
 ---
 

windows/keep-secure/testing-scenarios-for-wip.md

@@ -8,6 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+localizationpriority: high
 ---
 
 # Testing scenarios for Windows Information Protection (WIP)

windows/keep-secure/wip-enterprise-overview.md

@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
+localizationpriority: high
 ---
 
 # Windows Information Protection (WIP) overview

windows/manage/distribute-apps-from-your-private-store.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Distribute apps using your private store

windows/manage/manage-access-to-private-store.md

@@ -27,6 +27,22 @@ The private store is a feature in Store for Business that organizations receive
 
 Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
 
+## Show private store only using Group Policy 
+
+If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.  
+
+**To show private store only in Windows Store app**
+
+1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+
+3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
+
+    This opens the **Only display the private store within the Windows Store app** policy settings.
+
+4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+
 You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md).
 
 ## Related topics

windows/manage/manage-cortana-in-enterprise.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
+localizationpriority: high
 ---
 
 # Cortana integration in your business or enterprise

windows/manage/manage-wifi-sense-in-enterprise.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: eross-msft
-localizationpriority: high
+localizationpriority: medium
 ---
 
 # Manage Wi-Fi Sense in your company

windows/manage/settings-reference-windows-store-for-business.md

@@ -7,6 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Settings reference: Windows Store for Business

windows/manage/stop-employees-from-using-the-windows-store.md

@@ -85,8 +85,25 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
 -   [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
 
 For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
-## Related topics
 
+## Show private store only using Group Policy 
+Applies to Windows 10 Enterprise, version 1607.
+
+If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. 
+
+**To show private store only in Windows Store app**
+
+1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+
+3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
+
+    This opens the **Only display the private store within the Windows Store app** policy settings.
+
+4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+
+## Related topics
 
 [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
 

windows/manage/windows-store-for-business-overview.md

@@ -7,6 +7,7 @@ ms.pagetype: store, mobile
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: TrudyHa
+localizationpriority: high
 ---
 
 # Windows Store for Business overview