Merge branch 'master' into dansimp-autoir-update

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "cSpell.words": [
+        "emie"
+    ]
+}

browsers/edge/TOC.md

@@ -28,6 +28,6 @@
 
 ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
 
-## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)
+## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.yml)
 
 

browsers/edge/change-history-for-microsoft-edge.md

@@ -60,7 +60,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi
 
 |New or changed topic | Description |
 |---------------------|-------------|
-|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New |
+|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New |
 
 ## February 2017
 

browsers/edge/microsoft-edge-faq.md

@@ -1,58 +0,0 @@
----
-title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
-ms.reviewer: 
-audience: itpro
-manager: dansimp
-description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
-author: dansimp
-ms.author: dansimp
-ms.prod: edge
-ms.topic: article
-ms.mktglfcycl: general
-ms.sitesec: library
-ms.localizationpriority: medium
----
-
-# Frequently Asked Questions (FAQs) for IT Pros
-
->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
-
-> [!NOTE]
-> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
-
-## How can I get the next major version of Microsoft Edge, based on Chromium?
-In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/).
-
-## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?
-Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11.
-
-For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
-
-## Does Microsoft Edge work with Enterprise Mode?
-[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps.
-
-## How do I customize Microsoft Edge and related settings for my organization?
-You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
-
-## Is Adobe Flash supported in Microsoft Edge?
-Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
-
-To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
-
-## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?
-No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support.
-
-## How often will Microsoft Edge be updated?
-In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
-
-## How can I provide feedback on Microsoft Edge?
-Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. 
-
-## Will Internet Explorer 11 continue to receive updates?
-We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
-
-## How do I find out what version of Microsoft Edge I have?
-In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version.
-
-## What is Microsoft EdgeHTML?
-Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.)

browsers/edge/microsoft-edge-faq.yml

@@ -0,0 +1,69 @@
+### YamlMime:FAQ
+metadata:
+  title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
+  ms.reviewer: 
+  audience: itpro
+  manager: dansimp
+  description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
+  author: dansimp
+  ms.author: dansimp
+  ms.prod: edge
+  ms.topic: article
+  ms.mktglfcycl: general
+  ms.sitesec: library
+  ms.localizationpriority: medium
+    
+title: Frequently Asked Questions (FAQs) for IT Pros
+summary: |
+  >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
+  
+  > [!NOTE]
+  > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+  
+
+sections:
+  - name: Ignored
+    questions:
+      - question: How can I get the next major version of Microsoft Edge, based on Chromium?
+        answer: |
+          In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/).
+          
+      - question: What's the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?
+        answer: |
+          Microsoft Edge is the default browser for all Windows 10 devices. It's built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11.
+          
+          For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
+          
+      - question: Does Microsoft Edge work with Enterprise Mode?
+        answer: |
+          [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps.
+          
+      - question: How do I customize Microsoft Edge and related settings for my organization?
+        answer: |
+          You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
+          
+      - question: Is Adobe Flash supported in Microsoft Edge?
+        answer: |
+          Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we've started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
+          
+          To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
+          
+      - question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?
+        answer: No, Microsoft Edge doesn't support ActiveX controls and BHOs like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support.
+
+      - question: How often will Microsoft Edge be updated?
+        answer: In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
+
+      - question: How can I provide feedback on Microsoft Edge?
+        answer: Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. 
+
+      - question: Will Internet Explorer 11 continue to receive updates?
+        answer: |
+          We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
+          
+      - question: How do I find out which version of Microsoft Edge I have?
+        answer: In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version.
+
+      - question: What is Microsoft EdgeHTML?
+        answer: Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*).
+

education/includes/education-content-updates.md

@@ -2,10 +2,9 @@
 
 
 
-## Week of October 19, 2020
+## Week of November 30, 2020
 
 
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified |
-| 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
+| 12/4/2020 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |

windows/client-management/mdm/TOC.md

@@ -186,21 +186,32 @@
 #### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md)
 #### [ADMX_Cpls](policy-csp-admx-cpls.md)
 #### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md)
+#### [ADMX_CredSsp](policy-csp-admx-credssp.md)
 #### [ADMX_CredUI](policy-csp-admx-credui.md)
 #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md)
+#### [ADMX_DataCollection](policy-csp-admx-datacollection.md)
+#### [ADMX_Desktop](policy-csp-admx-desktop.md)
+#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md)
+#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md)
 #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md)
 #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
 #### [ADMX_DWM](policy-csp-admx-dwm.md)
+#### [ADMX_EAIME](policy-csp-admx-eaime.md)
 #### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md)
+#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md)
+#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md)
 #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
+#### [ADMX_EventLog](policy-csp-admx-eventlog.md)
 #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
 #### [ADMX_FileSys](policy-csp-admx-filesys.md)
 #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
 #### [ADMX_Help](policy-csp-admx-help.md)
 #### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md)
 #### [ADMX_kdc](policy-csp-admx-kdc.md)
+#### [ADMX_Kerberos](policy-csp-admx-kerberos.md)
 #### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md)
 #### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
+#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md)
 #### [ADMX_MMC](policy-csp-admx-mmc.md)
 #### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
 #### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md)
@@ -212,18 +223,21 @@
 #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md)
 #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md)
 #### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md)
+#### [ADMX_Programs](policy-csp-admx-programs.md)
 #### [ADMX_Reliability](policy-csp-admx-reliability.md)
 #### [ADMX_Scripts](policy-csp-admx-scripts.md)
 #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md)
 #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md)
 #### [ADMX_Sensors](policy-csp-admx-sensors.md)
 #### [ADMX_Servicing](policy-csp-admx-servicing.md)
+#### [ADMX_SettingSync](policy-csp-admx-settingsync.md)
 #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md)
 #### [ADMX_Sharing](policy-csp-admx-sharing.md)
 #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md)
 #### [ADMX_Smartcard](policy-csp-admx-smartcard.md)
 #### [ADMX_Snmp](policy-csp-admx-snmp.md)
 #### [ADMX_StartMenu](policy-csp-admx-startmenu.md)
+#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md)
 #### [ADMX_Taskbar](policy-csp-admx-taskbar.md)
 #### [ADMX_tcpip](policy-csp-admx-tcpip.md)
 #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md)
@@ -242,6 +256,7 @@
 #### [ADMX_WinInit](policy-csp-admx-wininit.md)
 #### [ADMX_WinLogon](policy-csp-admx-winlogon.md)
 #### [ADMX_wlansvc](policy-csp-admx-wlansvc.md)
+#### [ADMX_WPN](policy-csp-admx-wpn.md)
 #### [ApplicationDefaults](policy-csp-applicationdefaults.md)
 #### [ApplicationManagement](policy-csp-applicationmanagement.md)
 #### [AppRuntime](policy-csp-appruntime.md)

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -113,8 +113,7 @@ Requirements:
 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
 
    > [!NOTE]
-   > **Device Credential** Credential Type will also work, however, it is not yet supported for MDM solutions (including Intune). We don't recommend using this option until support is announced.
-
+   > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. 
    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 
 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@@ -184,6 +183,8 @@ Requirements:
    
    - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
    
+   - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
+
 2. Install the package on the Domain Controller.
 
 3. Navigate, depending on the version to the folder:
@@ -198,6 +199,8 @@ Requirements:
 
    - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
    
+   - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
+
 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
 
 5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.

windows/client-management/mdm/get-localized-product-details.md

@@ -1,6 +1,6 @@
 ---
 title: Get localized product details
-description: The Get localized product details operation retrieves the localization information of a product from the Micosoft Store for Business.
+description: The Get localized product details operation retrieves the localization information of a product from the Microsoft Store for Business.
 ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901
 ms.reviewer: 
 manager: dansimp
@@ -9,12 +9,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 09/18/2017
+ms.date: 12/07/2020
 ---
 
 # Get localized product details
 
-The **Get localized product details** operation retrieves the localization information of a product from the Micosoft Store for Business.
+The **Get localized product details** operation retrieves the localization information of a product from the Microsoft Store for Business.
 
 ## Request
 

windows/client-management/mdm/policies-in-policy-csp-admx-backed.md

@@ -103,12 +103,63 @@ ms.date: 10/08/2020
 - [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock)
 - [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider)
 - [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders)
+- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly)
+- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials)
+- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle)
+- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials)
+- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly)
+- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials)
+- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly)
+- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials)
+- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials)
+- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials)
+- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration)
 - [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting)
 - [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions)
 - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword)
 - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer)
 - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr)
 - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff)
+- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy)
+- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter)
+- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder)
+- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit)
+- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon)
+- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop)
+- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges)
+- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop)
+- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard)
+- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon)
+- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon)
+- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon)
+- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood)
+- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer)
+- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments)
+- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood)
+- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon)
+- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties)
+- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings)
+- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts)
+- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper)
+- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd)
+- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose)
+- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel)
+- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit)
+- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents)
+- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title)
+- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose)
+- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving)
+- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper)
+- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall)
+- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext)
+- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext)
+- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout)
+- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime)
+- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny)
+- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore)
+- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser)
+- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips)
+- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
 - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
 - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
 - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
@@ -139,9 +190,77 @@ ms.date: 10/08/2020
 - [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2)
 - [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1)
 - [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2)
+- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist)
+- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion)
+- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary)
+- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput)
+- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration)
+- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary)
+- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile)
+- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate)
+- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs)
+- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate)
+- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers)
+- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport)
 - [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove)
+- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices)
+- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos)
+- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication)
+- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices)
+- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock)
+- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices)
+- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef)
+- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex)
+- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc)
+- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport)
+- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults)
+- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1)
+- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2)
+- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1)
+- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2)
+- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1)
+- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2)
+- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1)
+- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2)
+- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1)
+- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2)
+- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer)
+- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1)
+- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1)
+- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2)
+- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1)
+- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2)
+- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1)
+- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1)
+- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2)
+- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1)
+- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2)
+- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1)
+- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1)
+- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2)
 - [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
 - [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
+- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled)
+- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1)
+- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2)
+- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3)
+- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4)
+- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3)
+- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1)
+- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2)
+- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3)
+- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8)
+- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2)
+- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3)
+- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4)
 - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
 - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
 - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
@@ -172,12 +291,113 @@ ms.date: 10/08/2020
 - [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid)
 - [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold)
 - [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili)
+- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid)
+- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled)
+- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm)
+- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck)
+- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver)
+- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms)
+- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound)
+- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget)
 - [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder)
 - [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication)
 - [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion)
 - [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder)
 - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
 - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
+- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup)
+- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender)
+- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions)
+- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen)
+- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge)
+- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders)
+- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver)
+- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup)
+- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting)
+- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting)
+- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown)
 - [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol)
 - [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview)
 - [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb)
@@ -428,6 +648,13 @@ ms.date: 10/08/2020
 - [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts)
 - [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting)
 - [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath)
+- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms)
+- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms)
+- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates)
+- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures)
+- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl)
+- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures)
+- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace)
 - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp)
 - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents)
 - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile)
@@ -454,6 +681,15 @@ ms.date: 10/08/2020
 - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1)
 - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2)
 - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
+- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync)
+- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync)
+- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync)
+- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync)
+- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync)
+- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync)
+- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync)
+- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork)
+- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync)
 - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
 - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
 - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
@@ -547,6 +783,7 @@ ms.date: 10/08/2020
 - [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey)
 - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
 - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
+- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
 - [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
 - [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
 - [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
@@ -852,6 +1089,12 @@ ms.date: 10/08/2020
 - [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost)
 - [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced)
 - [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred)
+- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours)
+- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification)
+- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours)
+- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification)
+- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute)
+- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute)
 - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
 - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
 - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -493,6 +493,42 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_CredSsp policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly" id="admx-credssp-allowdefcredentialswhenntlmonly">ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials" id="admx-credssp-allowdefaultcredentials">ADMX_CredSsp/AllowDefaultCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle" id="admx-credssp-allowencryptionoracle">ADMX_CredSsp/AllowEncryptionOracle</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials" id="admx-credssp-allowfreshcredentials">ADMX_CredSsp/AllowFreshCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly" id="admx-credssp-allowfreshcredentialswhenntlmonly">ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials" id="admx-credssp-allowsavedcredentials">ADMX_CredSsp/AllowSavedCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly" id="admx-credssp-allowsavedcredentialswhenntlmonly">ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials" id="admx-credssp-denydefaultcredentials">ADMX_CredSsp/DenyDefaultCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials" id="admx-credssp-denyfreshcredentials">ADMX_CredSsp/DenyFreshCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials" id="admx-credssp-denysavedcredentials">ADMX_CredSsp/DenySavedCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration" id="admx-credssp-restrictedremoteadministration">ADMX_CredSsp/RestrictedRemoteAdministration</a>
+
 ### ADMX_CredUI policies  
 
 <dl>
@@ -511,6 +547,146 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_DataCollection policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy" id="admx-datacollection-commercialidpolicy">ADMX_DataCollection/CommercialIdPolicy</a>
+  </dd>
+</dl>
+
+### ADMX_Desktop policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter" id="admx-desktop-ad-enablefilter">ADMX_Desktop/AD_EnableFilter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder" id="admx-desktop-ad-hidedirectoryfolder">ADMX_Desktop/AD_HideDirectoryFolder</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit" id="admx-desktop-ad-querylimit">ADMX_Desktop/AD_QueryLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon" id="admx-desktop-forceactivedesktopon">ADMX_Desktop/ForceActiveDesktopOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop" id="admx-desktop-noactivedesktop">ADMX_Desktop/NoActiveDesktop</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges" id="admx-desktop-noactivedesktopchanges">ADMX_Desktop/NoActiveDesktopChanges</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nodesktop" id="admx-desktop-nodesktop">ADMX_Desktop/NoDesktop</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard" id="admx-desktop-nodesktopcleanupwizard">ADMX_Desktop/NoDesktopCleanupWizard</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nointerneticon" id="admx-desktop-nointerneticon">ADMX_Desktop/NoInternetIcon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon" id="admx-desktop-nomycomputericon">ADMX_Desktop/NoMyComputerIcon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon" id="admx-desktop-nomydocumentsicon">ADMX_Desktop/NoMyDocumentsIcon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nonethood" id="admx-desktop-nonethood">ADMX_Desktop/NoNetHood</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer" id="admx-desktop-nopropertiesmycomputer">ADMX_Desktop/NoPropertiesMyComputer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments" id="admx-desktop-nopropertiesmydocuments">ADMX_Desktop/NoPropertiesMyDocuments</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood" id="admx-desktop-norecentdocsnethood">ADMX_Desktop/NoRecentDocsNetHood</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon" id="admx-desktop-norecyclebinicon">ADMX_Desktop/NoRecycleBinIcon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties" id="admx-desktop-norecyclebinproperties">ADMX_Desktop/NoRecycleBinProperties</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nosavesettings" id="admx-desktop-nosavesettings">ADMX_Desktop/NoSaveSettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts" id="admx-desktop-nowindowminimizingshortcuts">ADMX_Desktop/NoWindowMinimizingShortcuts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-wallpaper" id="admx-desktop-wallpaper">ADMX_Desktop/Wallpaper</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd" id="admx-desktop-sz-atc-disableadd">ADMX_Desktop/sz_ATC_DisableAdd</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose" id="admx-desktop-sz-atc-disableclose">ADMX_Desktop/sz_ATC_DisableClose</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel" id="admx-desktop-sz-atc-disabledel">ADMX_Desktop/sz_ATC_DisableDel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit" id="admx-desktop-sz-atc-disableedit">ADMX_Desktop/sz_ATC_DisableEdit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents" id="admx-desktop-sz-atc-nocomponents">ADMX_Desktop/sz_ATC_NoComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title" id="admx-desktop-sz-admincomponents-title">ADMX_Desktop/sz_AdminComponents_Title</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose" id="admx-desktop-sz-db-dragdropclose">ADMX_Desktop/sz_DB_DragDropClose</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving" id="admx-desktop-sz-db-moving">ADMX_Desktop/sz_DB_Moving</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper" id="admx-desktop-sz-dwp-nohtmlpaper">ADMX_Desktop/sz_DWP_NoHTMLPaper</a>
+  </dd>
+</dl>
+
+### ADMX_DeviceInstallation policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall" id="admx-deviceinstallation-deviceinstall-allowadmininstall">ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext" id="admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext" id="admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout" id="admx-deviceinstallation-deviceinstall-installtimeout">ADMX_DeviceInstallation/DeviceInstall_InstallTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime" id="admx-deviceinstallation-deviceinstall-policy-reboottime">ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny" id="admx-deviceinstallation-deviceinstall-removable-deny">ADMX_DeviceInstallation/DeviceInstall_Removable_Deny</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore" id="admx-deviceinstallation-deviceinstall-systemrestore">ADMX_DeviceInstallation/DeviceInstall_SystemRestore</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser" id="admx-deviceinstallation-deviceinstall-classes-allowuser">ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser</a>
+  </dd>
+</dl>
+
+### ADMX_DeviceSetup policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips" id="admx-devicesetup-deviceinstall-balloontips">ADMX_DeviceSetup/DeviceInstall_BalloonTips</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration" id="admx-devicesetup-driversearchplaces-searchorderconfiguration">ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration</a>
+  </dd>
+</dl>
+
 ### ADMX_DigitalLocker policies
 <dl>
   <dd>
@@ -615,6 +791,47 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_EAIME policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist" id="">ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion" id="">ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary" id="admx-eaime-l-turnoffcustomdictionary">ADMX_EAIME/L_TurnOffCustomDictionary</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput" id="admx-eaime-l-turnoffhistorybasedpredictiveinput">ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration" id="admx-eaime-l-turnoffinternetsearchintegration">ADMX_EAIME/L_TurnOffInternetSearchIntegration</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary" id="admx-eaime-l-turnoffopenextendeddictionary">ADMX_EAIME/L_TurnOffOpenExtendedDictionary</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile" id="admx-eaime-l-turnoffsavingautotuningdatatofile">ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate" id="admx-eaime-l-turnoncloudcandidate">ADMX_EAIME/L_TurnOnCloudCandidate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs" id="admx-eaime-l-turnoncloudcandidatechs">ADMX_EAIME/L_TurnOnCloudCandidateCHS</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate" id="admx-eaime-l-turnonlexiconupdate">ADMX_EAIME/L_TurnOnLexiconUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers" id="admx-eaime-l-turnonlivestickers">ADMX_EAIME/L_TurnOnLiveStickers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport" id="admx-eaime-l-turnonmisconversionloggingformisconversionreport">ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport</a>
+  </dd>
+</dl>
+
 ### ADMX_EncryptFilesonMove policies
 <dl>
   <dd>
@@ -622,6 +839,121 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_EnhancedStorage policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices" id="admx-enhancedstorage-approvedenstordevices">ADMX_EnhancedStorage/ApprovedEnStorDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos" id="admx-enhancedstorage-approvedsilos">ADMX_EnhancedStorage/ApprovedSilos</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication" id="admx-enhancedstorage-disablepasswordauthentication">ADMX_EnhancedStorage/DisablePasswordAuthentication</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices" id="admx-enhancedstorage-disallowlegacydiskdevices">ADMX_EnhancedStorage/DisallowLegacyDiskDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock" id="admx-enhancedstorage-lockdeviceonmachinelock">ADMX_EnhancedStorage/LockDeviceOnMachineLock</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices" id="admx-enhancedstorage-roothubconnectedenstordevices">ADMX_EnhancedStorage/RootHubConnectedEnStorDevices</a>
+  </dd>
+</dl>
+
+### ADMX_ErrorReporting policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef" id="admx-errorreporting-pch-allornonedef">ADMX_ErrorReporting/PCH_AllOrNoneDef</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex" id="admx-errorreporting-pch-allornoneex">ADMX_ErrorReporting/PCH_AllOrNoneEx</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc" id="admx-errorreporting-pch-allornoneinc">ADMX_ErrorReporting/PCH_AllOrNoneInc</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport" id="admx-errorreporting-pch-configurereport">ADMX_ErrorReporting/PCH_ConfigureReport</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults" id="admx-errorreporting-pch-reportoperatingsystemfaults">ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1" id="admx-errorreporting-werarchive-1">ADMX_ErrorReporting/WerArchive_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2" id="admx-errorreporting-werarchive-2">ADMX_ErrorReporting/WerArchive_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1" id="admx-errorreporting-werautoapproveosdumps-1">ADMX_ErrorReporting/WerAutoApproveOSDumps_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2" id="admx-errorreporting-werautoapproveosdumps-2">ADMX_ErrorReporting/WerAutoApproveOSDumps_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1" id="admx-errorreporting-werbypassdatathrottling-1">ADMX_ErrorReporting/WerBypassDataThrottling_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2" id="admx-errorreporting-werbypassdatathrottling-2">ADMX_ErrorReporting/WerBypassDataThrottling_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1" id="admx-errorreporting-werbypassnetworkcostthrottling-1">ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2" id="admx-errorreporting-werbypassnetworkcostthrottling-2">ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1" id="admx-errorreporting-werbypasspowerthrottling-1">ADMX_ErrorReporting/WerBypassPowerThrottling_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2" id="admx-errorreporting-werbypasspowerthrottling-2">ADMX_ErrorReporting/WerBypassPowerThrottling_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer" id="admx-errorreporting-wercer">ADMX_ErrorReporting/WerCER</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1" id="admx-errorreporting-werconsentcustomize-1">ADMX_ErrorReporting/WerConsentCustomize_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1" id="admx-errorreporting-werconsentoverride-1">ADMX_ErrorReporting/WerConsentOverride_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2" id="admx-errorreporting-werconsentoverride-2">ADMX_ErrorReporting/WerConsentOverride_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1" id="admx-errorreporting-werdefaultconsent-1">ADMX_ErrorReporting/WerDefaultConsent_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2" id="admx-errorreporting-werdefaultconsent-2">ADMX_ErrorReporting/WerDefaultConsent_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1" id="admx-errorreporting-werdisable-1">ADMX_ErrorReporting/WerDisable_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1" id="admx-errorreporting-werexlusion-1">ADMX_ErrorReporting/WerExlusion_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2" id="admx-errorreporting-werexlusion-2">ADMX_ErrorReporting/WerExlusion_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1" id="admx-errorreporting-wernologging-1">ADMX_ErrorReporting/WerNoLogging_1</a>
+  </dd>
+    <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2" id="admx-errorreporting-wernologging-2">ADMX_ErrorReporting/WerNoLogging_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1" id="admx-errorreporting-wernosecondleveldata-1">ADMX_ErrorReporting/WerNoSecondLevelData_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1" id="admx-errorreporting-werqueue-1">ADMX_ErrorReporting/WerQueue_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2" id="admx-errorreporting-werqueue-2">ADMX_ErrorReporting/WerQueue_2</a>
+  </dd>
+</dl>
+
 ### ADMX_EventForwarding policies
 
 <dl>
@@ -633,6 +965,74 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_EventLog policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled" id="admx-eventlog-channel-logenabled">ADMX_EventLog/Channel_LogEnabled</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1" id="admx-eventlog-channel-logfilepath-1">ADMX_EventLog/Channel_LogFilePath_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2" id="admx-eventlog-channel-logfilepath-2">ADMX_EventLog/Channel_LogFilePath_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3" id="admx-eventlog-channel-logfilepath-3">ADMX_EventLog/Channel_LogFilePath_3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4" id="admx-eventlog-channel-logfilepath-4">ADMX_EventLog/Channel_LogFilePath_4</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3" id="admx-eventlog-channel-logmaxsize-3">ADMX_EventLog/Channel_LogMaxSize_3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1" id="admx-eventlog-channel-log-autobackup-1">ADMX_EventLog/Channel_Log_AutoBackup_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2" id="admx-eventlog-channel-log-autobackup-2">ADMX_EventLog/Channel_Log_AutoBackup_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3" id="admx-eventlog-channel-log-autobackup-3">ADMX_EventLog/Channel_Log_AutoBackup_3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4" id="admx-eventlog-channel-log-autobackup-4">ADMX_EventLog/Channel_Log_AutoBackup_4</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1" id="admx-eventlog-channel-log-filelogaccess-1">ADMX_EventLog/Channel_Log_FileLogAccess_1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2" id="admx-eventlog-channel-log-filelogaccess-2">ADMX_EventLog/Channel_Log_FileLogAccess_2</a>
+  </dd>
+    <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3" id="admx-eventlog-channel-log-filelogaccess-3">ADMX_EventLog/Channel_Log_FileLogAccess_3</a>
+  </dd>
+    <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4" id="admx-eventlog-channel-log-filelogaccess-4">ADMX_EventLog/Channel_Log_FileLogAccess_4</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5" id="admx-eventlog-channel-log-filelogaccess-5">ADMX_EventLog/Channel_Log_FileLogAccess_5</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6" id="admx-eventlog-channel-log-filelogaccess-6">ADMX_EventLog/Channel_Log_FileLogAccess_6</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7" id="admx-eventlog-channel-log-filelogaccess-7">ADMX_EventLog/Channel_Log_FileLogAccess_7</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8" id="admx-eventlog-channel-log-filelogaccess-8">ADMX_EventLog/Channel_Log_FileLogAccess_8</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2" id="admx-eventlog-channel-log-retention-2">ADMX_EventLog/Channel_Log_Retention_2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3" id="admx-eventlog-channel-log-retention-3">ADMX_EventLog/Channel_Log_Retention_3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4" id="admx-eventlog-channel-log-retention-4">ADMX_EventLog/Channel_Log_Retention_4</a>
+  </dd>
+</dl>
+
 ### ADMX_FileServerVSSProvider policies
 <dl>
   <dd>
@@ -747,6 +1147,35 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_Kerberos policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid" id="admx-kerberos-alwayssendcompoundid">ADMX_Kerberos/AlwaysSendCompoundId</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled" id="admx-kerberos-devicepkinitenabled">ADMX_Kerberos/DevicePKInitEnabled</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm" id="admx-kerberos-hosttorealm">ADMX_Kerberos/HostToRealm</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck" id="admx-kerberos-kdcproxydisableserverrevocationcheck">ADMX_Kerberos/KdcProxyDisableServerRevocationCheck</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver" id="admx-kerberos-kdcproxyserver">ADMX_Kerberos/KdcProxyServer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms" id="admx-kerberos-mitrealms">ADMX_Kerberos/MitRealms</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound" id="admx-kerberos-serveracceptscompound">ADMX_Kerberos/ServerAcceptsCompound</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget" id="admx-kerberos-stricttarget">ADMX_Kerberos/StrictTarget</a>
+  </dd>
+</dl>
+
 ### ADMX_LanmanServer policies
 <dl>
   <dd>
@@ -773,6 +1202,290 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_MicrosoftDefenderAntivirus policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup" id="admx-microsoftdefenderantivirus-allowfastservicestartup">ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender" id="admx-microsoftdefenderantivirus-disableantispywaredefender">ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions" id="admx-microsoftdefenderantivirus-disableautoexclusions">ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen" id="admx-microsoftdefenderantivirus-disableblockatfirstseen">ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge" id="admx-microsoftdefenderantivirus-disablelocaladminmerge">ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring" id="admx-microsoftdefenderantivirus-disablerealtimemonitoring">ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction" id="admx-microsoftdefenderantivirus-disableroutinelytakingaction">ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions" id="admx-microsoftdefenderantivirus-exclusions-extensions">ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths" id="admx-microsoftdefenderantivirus-exclusions-paths">ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes" id="admx-microsoftdefenderantivirus-exclusions-processes">ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions" id="admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules" id="admx-microsoftdefenderantivirus-exploitguard-asr-rules">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications" id="admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders" id="admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation" id="admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation">ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement" id="admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement">ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid" id="admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid">ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition" id="admx-microsoftdefenderantivirus-nis-disableprotocolrecognition">ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass" id="admx-microsoftdefenderantivirus-proxybypass">ADMX_MicrosoftDefenderAntivirus/ProxyBypass</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl" id="admx-microsoftdefenderantivirus-proxypacurl">ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver" id="admx-microsoftdefenderantivirus-proxyserver">ADMX_MicrosoftDefenderAntivirus/ProxyServer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay" id="admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay" id="admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes" id="admx-microsoftdefenderantivirus-randomizescheduletasktimes">ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification" id="admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable" id="admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize" id="admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime" id="admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday" id="admx-microsoftdefenderantivirus-remediation-scan-scheduleday">ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime" id="admx-microsoftdefenderantivirus-remediation-scan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout" id="admx-microsoftdefenderantivirus-reporting-additionalactiontimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout" id="admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications" id="admx-microsoftdefenderantivirus-reporting-disableenhancednotifications">ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports" id="admx-microsoftdefenderantivirus-reporting-disablegenericreports">ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout" id="admx-microsoftdefenderantivirus-reporting-noncriticaltimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout" id="admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents" id="admx-microsoftdefenderantivirus-reporting-wpptracingcomponents">ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel" id="admx-microsoftdefenderantivirus-reporting-wpptracinglevel">ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause" id="admx-microsoftdefenderantivirus-scan-allowpause">ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth" id="admx-microsoftdefenderantivirus-scan-archivemaxdepth">ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize" id="admx-microsoftdefenderantivirus-scan-archivemaxsize">ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning" id="admx-microsoftdefenderantivirus-scan-disablearchivescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning" id="admx-microsoftdefenderantivirus-scan-disableemailscanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics" id="admx-microsoftdefenderantivirus-scan-disableheuristics">ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning" id="admx-microsoftdefenderantivirus-scan-disablepackedexescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning" id="admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning" id="admx-microsoftdefenderantivirus-scan-disablereparsepointscanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint" id="admx-microsoftdefenderantivirus-scan-disablerestorepoint">ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan" id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan">ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles" id="admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles">ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor" id="admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime" id="admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority" id="admx-microsoftdefenderantivirus-scan-lowcpupriority">ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup" id="admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup">ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay" id="admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval" id="admx-microsoftdefenderantivirus-scan-quickscaninterval">ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle" id="admx-microsoftdefenderantivirus-scan-scanonlyifidle">ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday" id="admx-microsoftdefenderantivirus-scan-scheduleday">ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime" id="admx-microsoftdefenderantivirus-scan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive" id="admx-microsoftdefenderantivirus-servicekeepalive">ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue" id="admx-microsoftdefenderantivirus-signatureupdate-assignaturedue">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue" id="admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources" id="admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate" id="admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery" id="admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine" id="admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder" id="admx-microsoftdefenderantivirus-signatureupdate-fallbackorder">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu" id="admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery" id="admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday" id="admx-microsoftdefenderantivirus-signatureupdate-scheduleday">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime" id="admx-microsoftdefenderantivirus-signatureupdate-scheduletime">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation" id="admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification" id="admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval" id="admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup" id="admx-microsoftdefenderantivirus-signatureupdate-updateonstartup">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting" id="admx-microsoftdefenderantivirus-spynetreporting">ADMX_MicrosoftDefenderAntivirus/SpynetReporting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting" id="#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting">ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction" id="admx-microsoftdefenderantivirus-threats-threatiddefaultaction">ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring" id="admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress" id="admx-microsoftdefenderantivirus-ux-configuration-notification-suppress">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification" id="admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown" id="admx-microsoftdefenderantivirus-ux-configuration-uilockdown">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown</a>
+  </dd>
+</dl>
+
 ### ADMX_MMC policies
 <dl>
   <dd>
@@ -1573,6 +2286,32 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_Programs policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-nodefaultprograms" id="admx-programs-nodefaultprograms">ADMX_Programs/NoDefaultPrograms</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-nogetprograms" id="admx-programs-nogetprograms">ADMX_Programs/NoGetPrograms</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-noinstalledupdates" id="admx-programs-noinstalledupdates">ADMX_Programs/NoInstalledUpdates</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures" id="admx-programs-noprogramsandfeatures">ADMX_Programs/NoProgramsAndFeatures</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-noprogramscpl" id="admx-programs-noprogramscpl">ADMX_Programs/NoProgramsCPL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures" id="admx-programs-nowindowsfeatures">ADMX_Programs/NoWindowsFeatures</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace" id="admx-programs-nowindowsmarketplace">ADMX_Programs/NoWindowsMarketplace</a>
+  </dd>
+</dl>
+
 ### ADMX_Reliability policies
 
 <dl>
@@ -1681,6 +2420,38 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_SettingSync policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync" id="admx-settingsync-disableappsyncsettingsync">ADMX_SettingSync/DisableAppSyncSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync" id="admx-settingsync-disableapplicationsettingsync">ADMX_SettingSync/DisableApplicationSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync" id="admx-settingsync-disablecredentialssettingsync">ADMX_SettingSync/DisableCredentialsSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync" id="admx-settingsync-disabledesktopthemesettingsync">ADMX_SettingSync/DisableDesktopThemeSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync" id="admx-settingsync-disablepersonalizationsettingsync">ADMX_SettingSync/DisablePersonalizationSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync" id="admx-settingsync-disablesettingsync">ADMX_SettingSync/DisableSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync" id="admx-settingsync-disablestartlayoutsettingsync">ADMX_SettingSync/DisableStartLayoutSettingSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork" id="admx-settingsync-disablesynconpaidnetwork">ADMX_SettingSync/DisableSyncOnPaidNetwork</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync" id="admx-settingsync-disablewindowssettingsync">ADMX_SettingSync/DisableWindowsSettingSync</a>
+  </dd>
+</dl>
+
 ### ADMX_SharedFolders policies  
 
 <dl>
@@ -1990,6 +2761,14 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_SystemRestore policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig" ID="admx-systemrestore-sr-disableconfig">ADMX_SystemRestore/SR_DisableConfig</a>
+  </dd>
+</dl>
+
 ### ADMX_Taskbar policies  
 
 <dl>
@@ -2996,6 +3775,29 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ADMX_WPN policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours" id="admx-wpn-nocallsduringquiethours">ADMX_WPN/NoCallsDuringQuietHours</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification" id="admx-wpn-nolockscreentoastnotification">ADMX_WPN/NoLockScreenToastNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-noquiethours" id="admx-wpn-noquiethours">ADMX_WPN/NoQuietHours</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-notoastnotification" id="admx-wpn-notoastnotification">ADMX_WPN/NoToastNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute" id="admx-wpn-quiethoursdailybeginminute">ADMX_WPN/QuietHoursDailyBeginMinute</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute" id="admx-wpn-quiethoursdailyendminute">ADMX_WPN/QuietHoursDailyEndMinute</a>
+  </dd>
+</dl>
+
 ### ApplicationDefaults policies
 
 <dl>

windows/client-management/mdm/policy-csp-admx-credssp.md

@@ -0,0 +1,969 @@
+---
+title: Policy CSP - ADMX_CredSsp
+description: Policy CSP - ADMX_CredSsp
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/12/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CredSsp
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_CredSsp policies  
+
+<dl>
+  <dd>
+    <a href="#admx-credssp-allowdefcredentialswhenntlmonly">ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowdefaultcredentials">ADMX_CredSsp/AllowDefaultCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowencryptionoracle">ADMX_CredSsp/AllowEncryptionOracle</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowfreshcredentials">ADMX_CredSsp/AllowFreshCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowfreshcredentialswhenntlmonly">ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowsavedcredentials">ADMX_CredSsp/AllowSavedCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-allowsavedcredentialswhenntlmonly">ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-denydefaultcredentials">ADMX_CredSsp/DenyDefaultCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-denyfreshcredentials">ADMX_CredSsp/DenyFreshCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-denysavedcredentials">ADMX_CredSsp/DenySavedCredentials</a>
+  </dd>
+  <dd>
+    <a href="#admx-credssp-restrictedremoteadministration">ADMX_CredSsp/RestrictedRemoteAdministration</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowdefcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
+
+If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated.  The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating default credentials with NTLM-only server authentication*
+-   GP name: *AllowDefCredentialsWhenNTLMOnly*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowdefaultcredentials"></a>**ADMX_CredSsp/AllowDefaultCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
+
+The policy becomes effective the next time the user signs on to a computer running Windows.
+
+If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
+
+FWlink for KB:
+https://go.microsoft.com/fwlink/?LinkId=301508
+
+> [!NOTE]
+> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating default credentials*
+-   GP name: *AllowDefaultCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowencryptionoracle"></a>**ADMX_CredSsp/AllowEncryptionOracle**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
+
+Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client.  This policy controls compatibility with vulnerable clients and servers.  This policy allows you to set the level of protection desired for the encryption oracle vulnerability.
+
+If you enable this policy setting, CredSSP version support will be selected based on the following options:
+
+- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. 
+
+    > [!NOTE]
+    > This setting should not be deployed until all remote hosts support the newest version.
+
+- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
+
+- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
+
+For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Encryption Oracle Remediation*
+-   GP name: *AllowEncryptionOracle*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowfreshcredentials"></a>**ADMX_CredSsp/AllowFreshCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating fresh credentials*
+-   GP name: *AllowFreshCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowfreshcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating fresh credentials with NTLM-only server authentication*
+-   GP name: *AllowFreshCredentialsWhenNTLMOnly*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowsavedcredentials"></a>**ADMX_CredSsp/AllowSavedCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating saved credentials*
+-   GP name: *AllowSavedCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-allowsavedcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
+
+If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow delegating saved credentials with NTLM-only server authentication*
+-   GP name: *AllowSavedCredentialsWhenNTLMOnly*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-denydefaultcredentials"></a>**ADMX_CredSsp/DenyDefaultCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Deny delegating default credentials*
+-   GP name: *DenyDefaultCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-denyfreshcredentials"></a>**ADMX_CredSsp/DenyFreshCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Deny delegating fresh credentials*
+-   GP name: *DenyFreshCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-denysavedcredentials"></a>**ADMX_CredSsp/DenySavedCredentials**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Deny delegating saved credentials*
+-   GP name: *DenySavedCredentials*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-credssp-restrictedremoteadministration"></a>**ADMX_CredSsp/RestrictedRemoteAdministration**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
+
+Participating apps:
+Remote Desktop Client
+
+If you enable this policy setting, the following options are supported:
+
+- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts.
+- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts.
+- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts.
+
+If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.
+
+> [!NOTE]
+> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation).
+>
+> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Restrict delegation of credentials to remote servers*
+-   GP name: *RestrictedRemoteAdministration*
+-   GP path: *System\Credentials Delegation*
+-   GP ADMX file name: *CredSsp.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-datacollection.md

@@ -0,0 +1,114 @@
+---
+title: Policy CSP - ADMX_DataCollection
+description: Policy CSP - ADMX_DataCollection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DataCollection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_DataCollection policies  
+
+<dl>
+  <dd>
+    <a href="#admx-datacollection-commercialidpolicy">ADMX_DataCollection/CommercialIdPolicy</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-datacollection-commercialidpolicy"></a>**ADMX_DataCollection/CommercialIdPolicy**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization.
+
+If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
+
+If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Configure the Commercial ID*
+-   GP name: *CommercialIdPolicy*
+-   GP path: *Windows Components\Data Collection and Preview Builds*
+-   GP ADMX file name: *DataCollection.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-deviceinstallation.md

@@ -0,0 +1,619 @@
+---
+title: Policy CSP - ADMX_DeviceInstallation
+description: Policy CSP - ADMX_DeviceInstallation
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DeviceInstallation
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_DeviceInstallation policies  
+
+<dl>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-allowadmininstall">ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-installtimeout">ADMX_DeviceInstallation/DeviceInstall_InstallTimeout</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-policy-reboottime">ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-removable-deny">ADMX_DeviceInstallation/DeviceInstall_Removable_Deny</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-systemrestore">ADMX_DeviceInstallation/DeviceInstall_SystemRestore</a>
+  </dd>
+  <dd>
+    <a href="#admx-deviceinstallation-deviceinstall-classes-allowuser">ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-allowadmininstall"></a>**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
+
+If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow administrators to override Device Installation Restriction policies*
+-   GP name: *DeviceInstall_AllowAdminInstall*
+-   GP path: *System\Device Installation\Device Installation Restrictions*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext"></a>**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
+
+If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
+
+If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Display a custom message when installation is prevented by a policy setting*
+-   GP name: *DeviceInstall_DeniedPolicy_DetailText*
+-   GP path: *System\Device Installation\Device Installation Restrictions*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext"></a>**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
+
+If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
+
+If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Display a custom message title when device installation is prevented by a policy setting*
+-   GP name: *DeviceInstall_DeniedPolicy_SimpleText*
+-   GP path: *System\Device Installation\Device Installation Restrictions*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-installtimeout"></a>**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. 
+
+If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
+
+If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Configure device installation time-out*
+-   GP name: *DeviceInstall_InstallTimeout*
+-   GP path: *System\Device Installation*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-policy-reboottime"></a>**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
+
+If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
+
+If you disable or do not configure this policy setting, the system does not force a reboot.
+
+Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect*
+-   GP name: *DeviceInstall_Policy_RebootTime*
+-   GP path: *System\Device Installation\Device Installation Restrictions*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-removable-deny"></a>**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Prevent installation of removable devices*
+-   GP name: *DeviceInstall_Removable_Deny*
+-   GP path: *System\Device Installation\Device Installation Restrictions*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-systemrestore"></a>**ADMX_DeviceInstallation/DeviceInstall_SystemRestore**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. 
+
+If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
+
+If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point*
+-   GP name: *DeviceInstall_SystemRestore*
+-   GP path: *System\Device Installation*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-deviceinstallation-deviceinstall-classes-allowuser"></a>**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system.
+
+If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
+
+If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
+
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow non-administrators to install drivers for these device setup classes*
+-   GP name: *DriverInstall_Classes_AllowUser*
+-   GP path: *System\Device Installation*
+-   GP ADMX file name: *DeviceInstallation.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->

windows/client-management/mdm/policy-csp-admx-devicesetup.md

@@ -0,0 +1,188 @@
+---
+title: Policy CSP - ADMX_DeviceSetup
+description: Policy CSP - ADMX_DeviceSetup
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DeviceSetup
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_DeviceSetup policies  
+
+<dl>
+  <dd>
+    <a href="#admx-devicesetup-deviceinstall-balloontips">ADMX_DeviceSetup/DeviceInstall_BalloonTips</a>
+  </dd>
+  <dd>
+    <a href="#admx-devicesetup-driversearchplaces-searchorderconfiguration">ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-devicesetup-deviceinstall-balloontips"></a>**ADMX_DeviceSetup/DeviceInstall_BalloonTips**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
+
+If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
+
+If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off "Found New Hardware" balloons during device installation*
+-   GP name: *DeviceInstall_BalloonTips*
+-   GP path: *System\Device Installation*
+-   GP ADMX file name: *DeviceSetup.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-devicesetup-driversearchplaces-searchorderconfiguration"></a>**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
+
+If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
+
+Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system.
+
+If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Specify search order for device driver source locations*
+-   GP name: *DriverSearchPlaces_SearchOrderConfiguration*
+-   GP path: *System\Device Installation*
+-   GP ADMX file name: *DeviceSetup.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-eaime.md

@@ -0,0 +1,971 @@
+---
+title: Policy CSP - ADMX_EAIME
+description: Policy CSP - ADMX_EAIME
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EAIME
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_EAIME policies  
+
+<dl>
+  <dd>
+    <a href="#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist">ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-restrictcharactercoderangeofconversion">ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoffcustomdictionary">ADMX_EAIME/L_TurnOffCustomDictionary</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoffhistorybasedpredictiveinput">ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoffinternetsearchintegration">ADMX_EAIME/L_TurnOffInternetSearchIntegration</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoffopenextendeddictionary">ADMX_EAIME/L_TurnOffOpenExtendedDictionary</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoffsavingautotuningdatatofile">ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoncloudcandidate">ADMX_EAIME/L_TurnOnCloudCandidate</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnoncloudcandidatechs">ADMX_EAIME/L_TurnOnCloudCandidateCHS</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnonlexiconupdate">ADMX_EAIME/L_TurnOnLexiconUpdate</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnonlivestickers">ADMX_EAIME/L_TurnOnLiveStickers</a>
+  </dd>
+  <dd>
+    <a href="#admx-eaime-l-turnonmisconversionloggingformisconversionreport">ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist"></a>**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
+
+If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists.
+
+If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not include Non-Publishing Standard Glyph in the candidate list*
+-   GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-restrictcharactercoderangeofconversion"></a>**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter.
+
+If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME.  You can specify multiple ranges by setting a value combined with a bitwise OR of following values:
+
+- 0x0001 // JIS208 area
+- 0x0002 // NEC special char code
+- 0x0004 // NEC selected IBM extended code
+- 0x0008 // IBM extended code
+- 0x0010 // Half width katakana code
+- 0x0100 // EUDC(GAIJI)
+- 0x0200 // S-JIS unmapped area
+- 0x0400 // Unicode char
+- 0x0800 // surrogate char
+- 0x1000 // IVS char
+- 0xFFFF // no definition.
+
+If you disable or do not configure this policy setting, no range of characters are filtered by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Restrict character code range of conversion*
+-   GP name: *L_RestrictCharacterCodeRangeOfConversion*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoffcustomdictionary"></a>**ADMX_EAIME/L_TurnOffCustomDictionary**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary.
+
+If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
+
+If you disable or do not configure this policy setting, the custom dictionary can be used by default.
+
+For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary.
+
+This policy setting is applied to Japanese Microsoft IME.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off custom dictionary*
+-   GP name: *L_TurnOffCustomDictionary*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoffhistorybasedpredictiveinput"></a>**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input.
+
+If you enable this policy setting, history-based predictive input is turned off.
+
+If you disable or do not configure this policy setting, history-based predictive input is on by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off history-based predictive input*
+-   GP name: *L_TurnOffHistorybasedPredictiveInput*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoffinternetsearchintegration"></a>**ADMX_EAIME/L_TurnOffInternetSearchIntegration**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration.
+
+Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME.
+
+If you enable this policy setting, you cannot use search integration.
+
+If you disable or do not configure this policy setting, the search integration function can be used by default.
+
+This policy setting applies to Japanese Microsoft IME.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off Internet search integration*
+-   GP name: *L_TurnOffInternetSearchIntegration*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoffopenextendeddictionary"></a>**ADMX_EAIME/L_TurnOffOpenExtendedDictionary**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary.
+
+If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.
+
+For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion.
+
+If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default.
+
+This policy setting is applied to Japanese Microsoft IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off Open Extended Dictionary*
+-   GP name: *L_TurnOffOpenExtendedDictionary*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoffsavingautotuningdatatofile"></a>**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file.
+
+If you enable this policy setting, the auto-tuning data is not saved to file.
+
+If you disable or do not configure this policy setting, auto-tuning data is saved to file by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off saving auto-tuning data to file*
+-   GP name: *L_TurnOffSavingAutoTuningDataToFile*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoncloudcandidate"></a>**ADMX_EAIME/L_TurnOnCloudCandidate**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature.
+
+This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn on cloud candidate*
+-   GP name: *L_TurnOnCloudCandidate*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnoncloudcandidatechs"></a>**ADMX_EAIME/L_TurnOnCloudCandidateCHS**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn on cloud candidate for CHS*
+-   GP name: *L_TurnOnCloudCandidateCHS*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnonlexiconupdate"></a>**ADMX_EAIME/L_TurnOnLexiconUpdate**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn on lexicon update*
+-   GP name: *L_TurnOnLexiconUpdate*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnonlivestickers"></a>**ADMX_EAIME/L_TurnOnLiveStickers**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn on Live Sticker*
+-   GP name: *L_TurnOnLiveStickers*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-eaime-l-turnonmisconversionloggingformisconversionreport"></a>**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report.
+
+If you enable this policy setting, misconversion logging is turned on.
+
+If you disable or do not configure this policy setting, misconversion logging is turned off.
+
+This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn on misconversion logging for misconversion report*
+-   GP name: *L_TurnOnMisconversionLoggingForMisconversionReport*
+-   GP path: *Windows Components\IME*
+-   GP ADMX file name: *EAIME.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-enhancedstorage.md

@@ -0,0 +1,476 @@
+---
+title: Policy CSP - ADMX_EnhancedStorage
+description: Policy CSP - ADMX_EnhancedStorage
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/23/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EnhancedStorage
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_EnhancedStorage policies  
+
+<dl>
+  <dd>
+    <a href="#admx-enhancedstorage-approvedenstordevices">ADMX_EnhancedStorage/ApprovedEnStorDevices</a>
+  </dd>
+  <dd>
+    <a href="#admx-enhancedstorage-approvedsilos">ADMX_EnhancedStorage/ApprovedSilos</a>
+  </dd>
+  <dd>
+    <a href="#admx-enhancedstorage-disablepasswordauthentication">ADMX_EnhancedStorage/DisablePasswordAuthentication</a>
+  </dd>
+  <dd>
+    <a href="#admx-enhancedstorage-disallowlegacydiskdevices">ADMX_EnhancedStorage/DisallowLegacyDiskDevices</a>
+  </dd>
+  <dd>
+    <a href="#admx-enhancedstorage-lockdeviceonmachinelock">ADMX_EnhancedStorage/LockDeviceOnMachineLock</a>
+  </dd>
+  <dd>
+    <a href="#admx-enhancedstorage-roothubconnectedenstordevices">ADMX_EnhancedStorage/RootHubConnectedEnStorDevices</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-approvedenstordevices"></a>**ADMX_EnhancedStorage/ApprovedEnStorDevices**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
+
+If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
+
+If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Configure list of Enhanced Storage devices usable on your computer*
+-   GP name: *ApprovedEnStorDevices*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-approvedsilos"></a>**ADMX_EnhancedStorage/ApprovedSilos**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
+
+If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
+
+If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Configure list of IEEE 1667 silos usable on your computer*
+-   GP name: *ApprovedSilos*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-disablepasswordauthentication"></a>**ADMX_EnhancedStorage/DisablePasswordAuthentication**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
+
+If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.
+
+If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not allow password authentication of Enhanced Storage devices*
+-   GP name: *DisablePasswordAuthentication*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-disallowlegacydiskdevices"></a>**ADMX_EnhancedStorage/DisallowLegacyDiskDevices**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
+
+If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.
+
+If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not allow non-Enhanced Storage removable devices*
+-   GP name: *DisallowLegacyDiskDevices*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-lockdeviceonmachinelock"></a>**ADMX_EnhancedStorage/LockDeviceOnMachineLock**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked.
+
+This policy setting is supported in Windows Server SKUs only.
+
+If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked.
+
+If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Lock Enhanced Storage when the computer is locked*
+-   GP name: *LockDeviceOnMachineLock*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-enhancedstorage-roothubconnectedenstordevices"></a>**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.
+
+If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.
+
+If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Allow only USB root hub connected Enhanced Storage devices*
+-   GP name: *RootHubConnectedEnStorDevices*
+-   GP path: *System\Enhanced Storage Access*
+-   GP ADMX file name: *EnhancedStorage.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-kerberos.md

@@ -0,0 +1,641 @@
+---
+title: Policy CSP - ADMX_Kerberos
+description: Policy CSP - ADMX_Kerberos
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/12/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Kerberos
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_Kerberos policies  
+
+<dl>
+  <dd>
+    <a href="#admx-kerberos-alwayssendcompoundid">ADMX_Kerberos/AlwaysSendCompoundId</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-devicepkinitenabled">ADMX_Kerberos/DevicePKInitEnabled</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-hosttorealm">ADMX_Kerberos/HostToRealm</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-kdcproxydisableserverrevocationcheck">ADMX_Kerberos/KdcProxyDisableServerRevocationCheck</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-kdcproxyserver">ADMX_Kerberos/KdcProxyServer</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-mitrealms">ADMX_Kerberos/MitRealms</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-serveracceptscompound">ADMX_Kerberos/ServerAcceptsCompound</a>
+  </dd>
+  <dd>
+    <a href="#admx-kerberos-stricttarget">ADMX_Kerberos/StrictTarget</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-alwayssendcompoundid"></a>**ADMX_Kerberos/AlwaysSendCompoundId**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity.
+
+> [!NOTE]
+> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. 
+
+If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. 
+
+If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Always send compound authentication first*
+-   GP name: *AlwaysSendCompoundId*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-devicepkinitenabled"></a>**ADMX_Kerberos/DevicePKInitEnabled**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
+
+This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.
+
+If you enable this policy setting, the device's credentials will be selected based on the following options:
+
+- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.
+- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.
+
+If you disable this policy setting, certificates will never be used.
+
+If you do not configure this policy setting, Automatic will be used.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Support device authentication using certificate*
+-   GP name: *DevicePKInitEnabled*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-hosttorealm"></a>**ADMX_Kerberos/HostToRealm**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.
+
+If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.
+
+If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Define host name-to-Kerberos realm mappings*
+-   GP name: *HostToRealm*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-kdcproxydisableserverrevocationcheck"></a>**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
+
+If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. 
+Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. 
+
+If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
+-   GP name: *KdcProxyDisableServerRevocationCheck*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-kdcproxyserver"></a>**ADMX_Kerberos/KdcProxyServer**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
+
+If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Specify KDC proxy servers for Kerberos clients*
+-   GP name: *KdcProxyServer*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-mitrealms"></a>**ADMX_Kerberos/MitRealms**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.
+
+If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.
+
+If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Define interoperable Kerberos V5 realm settings*
+-   GP name: *MitRealms*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-serveracceptscompound"></a>**ADMX_Kerberos/ServerAcceptsCompound**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication.
+
+Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
+
+If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options:
+
+- Never: Compound authentication is never provided for this computer account.
+- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control.
+- Always: Compound authentication is always provided for this computer account.
+
+If you disable this policy setting, Never will be used.
+
+If you do not configure this policy setting, Automatic will be used.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Support compound authentication*
+-   GP name: *ServerAcceptsCompound*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-kerberos-stricttarget"></a>**ADMX_Kerberos/StrictTarget**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN.
+
+If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate.
+
+If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Require strict target SPN match on remote procedure calls*
+-   GP name: *StrictTarget*
+-   GP path: *System\Kerberos*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-programs.md

@@ -0,0 +1,568 @@
+---
+title: Policy CSP - ADMX_Programs
+description: Policy CSP - ADMX_Programs
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Programs
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_Programs policies  
+
+<dl>
+  <dd>
+    <a href="#admx-programs-nodefaultprograms">ADMX_Programs/NoDefaultPrograms</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-nogetprograms">ADMX_Programs/NoGetPrograms</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-noinstalledupdates">ADMX_Programs/NoInstalledUpdates</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-noprogramsandfeatures">ADMX_Programs/NoProgramsAndFeatures</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-noprogramscpl">ADMX_Programs/NoProgramsCPL</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-nowindowsfeatures">ADMX_Programs/NoWindowsFeatures</a>
+  </dd>
+  <dd>
+    <a href="#admx-programs-nowindowsmarketplace">ADMX_Programs/NoWindowsMarketplace</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-nodefaultprograms"></a>**ADMX_Programs/NoDefaultPrograms**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page.
+
+The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
+
+If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
+
+This setting does not prevent users from using other tools and methods to change program access or defaults.
+
+This setting does not prevent the Default Programs icon from appearing on the Start menu.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Set Program Access and Computer Defaults" page*
+-   GP name: *NoDefaultPrograms*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-nogetprograms"></a>**ADMX_Programs/NoGetPrograms**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network.  
+
+This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them.
+
+Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files.
+
+If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs.  Enabling this feature does not prevent users from installing programs by using other methods.  Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu.
+
+If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users.
+
+> [!NOTE]
+> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Get Programs" page*
+-   GP name: *NoGetPrograms*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-noinstalledupdates"></a>**ADMX_Programs/NoInstalledUpdates**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task.
+
+"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers.
+
+If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.
+
+This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Installed Updates" page*
+-   GP name: *NoInstalledUpdates*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-noprogramsandfeatures"></a>**ADMX_Programs/NoProgramsAndFeatures**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
+
+If this setting is disabled or not configured, "Programs and Features" will be available to all users.
+
+This setting does not prevent users from using other tools and methods to view or uninstall programs.  It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Programs and Features" page*
+-   GP name: *NoProgramsAndFeatures*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-noprogramscpl"></a>**ADMX_Programs/NoProgramsCPL**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View.
+ 
+The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel.
+
+If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users.
+
+When enabled, this setting takes precedence over the other settings in this folder.
+
+This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide the Programs Control Panel*
+-   GP name: *NoProgramsCPL*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-nowindowsfeatures"></a>**ADMX_Programs/NoWindowsFeatures**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
+
+If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
+
+This setting does not prevent users from using other tools and methods to configure services or enable or disable program components.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Windows Features"*
+-   GP name: *NoWindowsFeatures*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-programs-nowindowsmarketplace"></a>**ADMX_Programs/NoWindowsMarketplace**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs.
+
+Windows Marketplace allows users to purchase and/or download various programs to their computer for installation.
+
+Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. 
+
+If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users.
+
+> [!NOTE]
+> If the "Hide Programs control Panel" setting is enabled, this setting is ignored.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Hide "Windows Marketplace"*
+-   GP name: *NoWindowsMarketplace*
+-   GP path: *Control Panel\Programs*
+-   GP ADMX file name: *Programs.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-settingsync.md

@@ -0,0 +1,706 @@
+---
+title: Policy CSP - ADMX_SettingSync
+description: Policy CSP - ADMX_SettingSync
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SettingSync
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_SettingSync policies  
+
+<dl>
+  <dd>
+    <a href="#admx-settingsync-disableappsyncsettingsync">ADMX_SettingSync/DisableAppSyncSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disableapplicationsettingsync">ADMX_SettingSync/DisableApplicationSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablecredentialssettingsync">ADMX_SettingSync/DisableCredentialsSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disabledesktopthemesettingsync">ADMX_SettingSync/DisableDesktopThemeSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablepersonalizationsettingsync">ADMX_SettingSync/DisablePersonalizationSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablesettingsync">ADMX_SettingSync/DisableSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablestartlayoutsettingsync">ADMX_SettingSync/DisableStartLayoutSettingSync</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablesynconpaidnetwork">ADMX_SettingSync/DisableSyncOnPaidNetwork</a>
+  </dd>
+  <dd>
+    <a href="#admx-settingsync-disablewindowssettingsync">ADMX_SettingSync/DisableWindowsSettingSync</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disableappsyncsettingsync"></a>**ADMX_SettingSync/DisableAppSyncSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "AppSync" group will not be synced.
+
+Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync Apps*
+-   GP name: *DisableAppSyncSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disableapplicationsettingsync"></a>**ADMX_SettingSync/DisableApplicationSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "app settings" group will not be synced.
+
+Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync app settings*
+-   GP name: *DisableApplicationSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablecredentialssettingsync"></a>**ADMX_SettingSync/DisableCredentialsSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "passwords" group will not be synced.
+
+Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync passwords*
+-   GP name: *DisableCredentialsSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disabledesktopthemesettingsync"></a>**ADMX_SettingSync/DisableDesktopThemeSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "desktop personalization" group will not be synced.
+
+Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync desktop personalization*
+-   GP name: *DisableDesktopThemeSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablepersonalizationsettingsync"></a>**ADMX_SettingSync/DisablePersonalizationSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "personalize" group will not be synced.
+
+Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync personalize*
+-   GP name: *DisablePersonalizationSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablesettingsync"></a>**ADMX_SettingSync/DisableSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
+
+If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
+
+Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync*
+-   GP name: *DisableSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablestartlayoutsettingsync"></a>**ADMX_SettingSync/DisableStartLayoutSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "Start layout" group will not be synced.
+
+Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync start settings*
+-   GP name: *DisableStartLayoutSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablesynconpaidnetwork"></a>**ADMX_SettingSync/DisableSyncOnPaidNetwork**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
+
+If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
+
+If you do not set or disable this setting, syncing on metered connections is configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync on metered connections*
+-   GP name: *DisableSyncOnPaidNetwork*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-settingsync-disablewindowssettingsync"></a>**ADMX_SettingSync/DisableWindowsSettingSync**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC.  This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "Other Windows settings" group will not be synced.
+
+Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Do not sync other Windows settings*
+-   GP name: *DisableWindowsSettingSync*
+-   GP path: *Windows Components\Sync your settings*
+-   GP ADMX file name: *SettingSync.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-systemrestore.md

@@ -0,0 +1,120 @@
+---
+title: Policy CSP - ADMX_SystemRestore
+description: Policy CSP - ADMX_SystemRestore
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/13/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SystemRestore
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_SystemRestore policies  
+
+<dl>
+  <dd>
+    <a href="#admx-systemrestore-sr-disableconfig">ADMX_SystemRestore/SR_DisableConfig</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-systemrestore-sr-disableconfig"></a>**ADMX_SystemRestore/SR_DisableConfig**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in Windows 10 Insider Preview Build 20185. Allows you to disable System Restore configuration through System Protection.
+
+This policy setting allows you to turn off System Restore configuration through System Protection.
+
+System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting.
+
+If you enable this policy setting, the option to configure System Restore through System Protection is disabled.
+
+If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection.
+
+Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off Configuration*
+-   GP name: *SR_DisableConfig*
+-   GP path: *System\System Restore*
+-   GP ADMX file name: *SystemRestore.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->
+

windows/client-management/mdm/policy-csp-admx-wpn.md

@@ -0,0 +1,489 @@
+---
+title: Policy CSP - ADMX_WPN
+description: Policy CSP - ADMX_WPN
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/13/2020
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WPN
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+<hr/>
+
+<!--Policies-->
+## ADMX_WPN policies  
+
+<dl>
+  <dd>
+    <a href="#admx-wpn-nocallsduringquiethours">ADMX_WPN/NoCallsDuringQuietHours</a>
+  </dd>
+  <dd>
+    <a href="#admx-wpn-nolockscreentoastnotification">ADMX_WPN/NoLockScreenToastNotification</a>
+  </dd>
+  <dd>
+    <a href="#admx-wpn-noquiethours">ADMX_WPN/NoQuietHours</a>
+  </dd>
+  <dd>
+    <a href="#admx-wpn-notoastnotification">ADMX_WPN/NoToastNotification</a>
+  </dd>
+  <dd>
+    <a href="#admx-wpn-quiethoursdailybeginminute">ADMX_WPN/QuietHoursDailyBeginMinute</a>
+  </dd>
+  <dd>
+    <a href="#admx-wpn-quiethoursdailyendminute">ADMX_WPN/QuietHoursDailyEndMinute</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-nocallsduringquiethours"></a>**ADMX_WPN/NoCallsDuringQuietHours**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours.
+
+If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings.
+
+If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings.
+
+If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off calls during Quiet Hours*
+-   GP name: *NoCallsDuringQuietHours*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-nolockscreentoastnotification"></a>**ADMX_WPN/NoLockScreenToastNotification**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen.
+
+If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen.
+
+If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user.
+
+No reboots or service restarts are required for this policy setting to take effect.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off toast notifications on the lock screen*
+-   GP name: *NoLockScreenToastNotification*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-noquiethours"></a>**ADMX_WPN/NoQuietHours**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality.
+
+If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day.
+
+If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings.
+
+If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off Quiet Hours*
+-   GP name: *NoQuietHours*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-notoastnotification"></a>**ADMX_WPN/NoToastNotification**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications.
+
+If you enable this policy setting, applications will not be able to raise toast notifications.
+
+Note that this policy does not affect taskbar notification balloons.
+
+Note that Windows system features are not affected by this policy.  You must enable/disable system features individually to stop their ability to raise toast notifications.
+
+If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user.
+
+No reboots or service restarts are required for this policy setting to take effect.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Turn off toast notifications*
+-   GP name: *NoToastNotification*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-quiethoursdailybeginminute"></a>**ADMX_WPN/QuietHoursDailyBeginMinute**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day.
+
+If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
+
+If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
+
+If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Set the time Quiet Hours begins each day*
+-   GP name: *QuietHoursDailyBeginMinute*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="admx-wpn-quiethoursdailyendminute"></a>**ADMX_WPN/QuietHoursDailyEndMinute**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day.
+
+If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
+
+If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
+
+If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
+
+<!--/Description-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> 
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> 
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP English name: *Set the time Quiet Hours ends each day*
+-   GP name: *QuietHoursDailyEndMinute*
+-   GP path: *Start Menu and Taskbar\Notifications*
+-   GP ADMX file name: *WPN.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+
+<!--/Policies-->

windows/client-management/troubleshoot-tcpip-netmon.md

@@ -19,7 +19,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
 > [!NOTE]
 > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
 
-To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image.
+To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
 
 ![Adapters](images/nm-adapters.png)
 

windows/deployment/update/waas-delivery-optimization.md

@@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b
     - Office installations and updates
     - Xbox game pass games
     - MSIX apps (HTTP downloads only)
-
+    - Edge browser installations and updates
 
 ## Requirements
 

windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md

@@ -8,10 +8,10 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
-author: medgarmedgar
+author: robsize
 ms.author: dansimp
 manager: robsize
-ms.date: 3/25/2020
+ms.date: 12/1/2020
 ---
 
 # Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server

windows/privacy/manage-windows-1809-endpoints.md

@@ -15,6 +15,7 @@ ms.topic: article
 ms.date: 6/26/2018
 ms.reviewer: 
 ---
+
 # Manage connection endpoints for Windows 10 Enterprise, version 1809
 
 **Applies to**
@@ -53,7 +54,7 @@ The following endpoint is used to download updates to the Weather app Live Tile.
 If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | explorer       | HTTP     | tile-service.weather.microsoft.com  |
 |   | HTTP  | blob.weather.microsoft.com |
 
@@ -63,7 +64,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTPS   | cdn.onenote.net/livetile/?Language=en-US |
 
 The following endpoints are used for Twitter updates.
@@ -72,7 +73,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTPS   | wildcard.twimg.com |
 | svchost.exe |             | oem.twimg.com/windows/tile.xml |
 
@@ -82,7 +83,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  |    | star-mini.c10r.facebook.com |
 
 The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office.
@@ -91,7 +92,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
 
 The following endpoint is used for Candy Crush Saga updates.
@@ -100,7 +101,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | TLS v1.2    | candycrushsoda.king.com |
 
 The following endpoint is used for by the Microsoft Wallet app.
@@ -109,7 +110,7 @@ If you disable the Microsoft store, other Store apps cannot be installed or upda
 Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
 
 The following endpoint is used by the Groove Music app for update HTTP handler status.
@@ -123,7 +124,7 @@ The following endpoints are used when using the Whiteboard app.
 To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTPS | wbd.ms |
 |  | HTTPS | int.whiteboard.microsoft.com |
 |  | HTTPS | whiteboard.microsoft.com |
@@ -135,28 +136,28 @@ The following endpoint is used to get images that are used for Microsoft Store s
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | searchui        | HTTPS |store-images.s-microsoft.com  |
 
 The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | backgroundtaskhost  | HTTPS   | www.bing.com/client |
 
 The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | backgroundtaskhost  | HTTPS   | www.bing.com/proactive |
 
 The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | searchui <br> backgroundtaskhost | HTTPS   | www.bing.com/threshold/xls.aspx |
 
 ## Certificates
@@ -169,7 +170,7 @@ We do not recommend blocking this endpoint.
 If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost        | HTTP     | ctldl.windowsupdate.com |
 
 ## Device authentication
@@ -178,7 +179,7 @@ The following endpoint is used to authenticate a device.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   | HTTPS   | login.live.com/ppsecure |
 
 ## Device metadata
@@ -187,7 +188,7 @@ The following endpoint is used to retrieve device metadata.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   |    | dmd.metaservices.microsoft.com.akadns.net |
 |   |  HTTP  | dmd.metaservices.microsoft.com |
 
@@ -197,21 +198,21 @@ The following endpoint is used by the Connected User Experiences and Telemetry c
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost |   | cy2.vortex.data.microsoft.com.akadns.net |
 
 The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
 
 The following endpoints are used by Windows Error Reporting.
 To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | wermgr |        | watson.telemetry.microsoft.com  |
 |        | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
 
@@ -221,7 +222,7 @@ The following endpoints are used to download fonts on demand.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost  |     | fs.microsoft.com      |
 |          |     | fs.microsoft.com/fs/windows/config.json |
 
@@ -231,7 +232,7 @@ The following endpoint is used for online activation and some app licensing.
 To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | licensemanager  | HTTPS   | licensing.mp.microsoft.com/v7.0/licenses/content |
 
 ## Location
@@ -240,7 +241,7 @@ The following endpoint is used for location data.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTP   | location-inference-westus.cloudapp.net  |
 |  | HTTPS | inference.location.live.net |
 
@@ -250,7 +251,7 @@ The following endpoint is used to check for updates to maps that have been downl
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost |  HTTPS   | *g.akamaiedge.net  |
 
 ## Microsoft account
@@ -259,7 +260,7 @@ The following endpoints are used for Microsoft accounts to sign in.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  |   | login.msa.akadns6.net  |
 |  |   | login.live.com  |
 |  |   | account.live.com |
@@ -272,21 +273,21 @@ The following endpoint is used for the Windows Push Notification Services (WNS).
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  |  HTTPS  | *.wns.windows.com |
 
 The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
 To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTP   | storecatalogrevocation.storequality.microsoft.com |
 
 The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTPS   | img-prod-cms-rt-microsoft-com.akamaized.net |
 | backgroundtransferhost | HTTPS   | store-images.microsoft.com |
 
@@ -294,7 +295,7 @@ The following endpoints are used to communicate with Microsoft Store.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTP   | storeedgefd.dsx.mp.microsoft.com  |
 |  | HTTP \ HTTPS   | pti.store.microsoft.com  |
 ||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
@@ -306,7 +307,7 @@ Network Connection Status Indicator (NCSI) detects Internet connectivity and cor
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTP   | www.msftconnecttest.com/connecttest.txt |
 
 ## Office
@@ -316,7 +317,7 @@ You can turn this off by removing all Microsoft Office apps and the Mail and Cal
 If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   |    | *.a-msedge.net  |
 | hxstr  |    | *.c-msedge.net  |
 |   |    | *.e-msedge.net  |
@@ -330,20 +331,20 @@ You can turn this off by removing all Microsoft Office apps and the Mail and Cal
 If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | system32\Auth.Host.exe | HTTPS | outlook.office365.com |
 
 The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
 
 The following endpoint is used to connect the Office To-Do app to it's cloud service.
 To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   |HTTPS|to-do.microsoft.com|
 
 ## OneDrive
@@ -352,14 +353,14 @@ The following endpoint is a redirection service that’s used to automatically u
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | onedrive | HTTP \ HTTPS   | g.live.com/1rewlive5skydrive/ODSUProduction |
 
 The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
 To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | onedrive |   HTTPS   | oneclient.sfx.ms |
 
 ## Settings
@@ -368,21 +369,21 @@ The following endpoint is used as a way for apps to dynamically update their con
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | dmclient |   | cy2.settings.data.microsoft.com.akadns.net  |
 
 The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | dmclient  | HTTPS  | settings.data.microsoft.com |
 
 The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost | HTTPS   | settings-win.data.microsoft.com |
 
 ## Skype
@@ -390,7 +391,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
 The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
 |  | HTTPS | browser.pipe.aria.microsoft.com |
 |  |  | skypeecs-prod-usw-0-b.cloudapp.net |
@@ -401,14 +402,14 @@ The following endpoint is used for Windows Defender when Cloud-based Protection
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   |    | wdcp.microsoft.com |
 
 The following endpoints are used for Windows Defender definition updates.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |   |    | definitionupdates.microsoft.com |
 |MpCmdRun.exe|HTTPS|go.microsoft.com |
 
@@ -416,7 +417,7 @@ The following endpoints are used for Windows Defender Smartscreen reporting and
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 |  | HTTPS | ars.smartscreen.microsoft.com |
 |  | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
 |  |  | smartscreen-sn3p.smartscreen.microsoft.com |
@@ -427,7 +428,7 @@ The following endpoints are used to retrieve Windows Spotlight metadata that des
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | backgroundtaskhost  | HTTPS   | arc.msn.com |
 | backgroundtaskhost  |    | g.msn.com.nsatc.net |
 |    |TLS v1.2| *.search.msn.com |
@@ -440,14 +441,14 @@ The following endpoint is used for Windows Update downloads of apps and OS updat
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost  | HTTPS   | *.prod.do.dsp.mp.microsoft.com  |
 
 The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost | HTTP  | *.windowsupdate.com |
 | svchost | HTTP  | *.dl.delivery.mp.microsoft.com |
 
@@ -455,7 +456,7 @@ The following endpoints enable connections to Windows Update, Microsoft Update,
 If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost | HTTPS   | *.update.microsoft.com |
 | svchost | HTTPS   | *.delivery.mp.microsoft.com  |
 
@@ -467,7 +468,7 @@ The following endpoint is used for content regulation.
 If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
 | svchost | HTTPS   | tsfe.trafficshaping.dsp.mp.microsoft.com |
 
 
@@ -478,7 +479,7 @@ The following endpoint is used by the Microsoft forward link redirection service
 If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
 
 | Source process | Protocol | Destination |
-|----------------|----------|------------|
+|----------------|:--------:|------------|
 |Various|HTTPS|go.microsoft.com|
 
 ## Other Windows 10 editions
@@ -496,4 +497,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)

windows/privacy/manage-windows-2004-endpoints.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 audience: ITPro
 author: linque1
-ms.author: obezeajo
+ms.author: robsize
 manager: robsize
 ms.collection: M365-security-compliance
 ms.topic: article

windows/security/identity-protection/access-control/active-directory-security-groups.md

@@ -576,7 +576,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn Local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -645,7 +645,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn Local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -717,7 +717,7 @@ This security group includes the following changes since Windows Server 2008:
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn Local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -865,7 +865,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -987,7 +987,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-517</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-517</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -1113,7 +1113,7 @@ This security group was introduced in Windows Vista Service Pack 1, and it h
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1241,7 +1241,7 @@ The Device Owners group applies to versions of the Windows Server operating syst
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn Local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1430,7 +1430,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Domain local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1493,7 +1493,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Domain Global</p></td>
+<td><p>Global</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1552,7 +1552,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-515</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-515</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -1613,7 +1613,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-516</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-516</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -1674,7 +1674,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-514</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-514</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -1737,11 +1737,11 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-513</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-513</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Domain Global</p></td>
+<td><p>Global</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1950,7 +1950,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Domain Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -1985,13 +1985,13 @@ This security group has not changed since Windows Server 2008.
 
  
 
-### <a href="" id="bkmk-gpcreatorsowners"></a>Group Policy Creators Owners
+### <a href="" id="bkmk-gpcreatorsowners"></a>Group Policy Creator Owners
 
 This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
 
 For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
 
-The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
 This security group has not changed since Windows Server 2008.
 
@@ -2009,7 +2009,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-520</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-520</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -2093,12 +2093,11 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Default members</p></td>
-<td><p>Guest</p></td>
+<td><p><a href="#bkmk-domainguests" data-raw-source="[Domain Guests](#bkmk-domainguests)">Domain Guests</a></p><p>Guest</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default member of</p></td>
-<td><p><a href="#bkmk-domainguests" data-raw-source="[Domain Guests](#bkmk-domainguests)">Domain Guests</a></p>
-<p>Guest</p></td>
+<td><p>None</p></td>
 </tr>
 <tr class="even">
 <td><p>Protected by ADMINSDHOLDER?</p></td>
@@ -2150,7 +2149,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2162,7 +2161,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tr>
 <tr class="odd">
 <td><p>Default member of</p></td>
-<td><p>No</p></td>
+<td><p>None</p></td>
 </tr>
 <tr class="even">
 <td><p>Protected by ADMINSDHOLDER?</p></td>
@@ -2211,7 +2210,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn Local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2286,7 +2285,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2389,7 +2388,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>BuiltIn local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2470,7 +2469,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2551,7 +2550,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2615,7 +2614,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2679,7 +2678,7 @@ This security group has not changed since Windows Server 2008. However, in Windo
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2758,7 +2757,7 @@ The following table specifies the properties of the Protected Users group.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Domain Global</p></td>
+<td><p>Global</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2819,7 +2818,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Domain local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2876,11 +2875,11 @@ This security group was introduced in Windows Server 2012, and it has not chang
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-32-&lt;domain&gt;-576</p></td>
+<td><p>S-1-5-32-576</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -2939,7 +2938,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3000,7 +2999,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3035,6 +3034,78 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
  
 
+### <a href="" id="bkmk-rodc"></a>Read-Only Domain Controllers
+
+This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
+
+Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
+
+-   Read-only AD DS database
+
+-   Unidirectional replication
+
+-   Credential caching
+
+-   Administrator role separation
+
+-   Read-only Domain Name System (DNS)
+
+For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
+
+This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Attribute</th>
+<th>Value</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Well-Known SID/RID</p></td>
+<td><p>S-1-5-21-&lt;domain&gt;-521</p></td>
+</tr>
+<tr class="even">
+<td><p>Type</p></td>
+<td><p>Global</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default container</p></td>
+<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
+</tr>
+<tr class="even">
+<td><p>Default members</p></td>
+<td><p>None</p></td>
+</tr>
+<tr class="odd">
+<td><p>Default member of</p></td>
+<td><p><a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
+</tr>
+<tr class="even">
+<td><p>Protected by ADMINSDHOLDER?</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="odd">
+<td><p>Safe to move out of default container?</p></td>
+<td><p>Yes</p></td>
+</tr>
+<tr class="even">
+<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
+<td><p></p></td>
+</tr>
+<tr class="odd">
+<td><p>Default User Rights</p></td>
+<td><p>See <a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
+</tr>
+</tbody>
+</table>
+ 
+
 ### <a href="" id="bkmk-remotedesktopusers"></a>Remote Desktop Users
 
 The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@@ -3096,78 +3167,6 @@ This security group has not changed since Windows Server 2008.
 
 
  
-### <a href="" id="bkmk-rodc"></a>Read-Only Domain Controllers
-
-This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
-
-Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
-
--   Read-only AD DS database
-
--   Unidirectional replication
-
--   Credential caching
-
--   Administrator role separation
-
--   Read-only Domain Name System (DNS)
-
-For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
-
-This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-21-&lt;domain&gt;-521</p></td>
-</tr>
-<tr class="even">
-<td><p>Type</p></td>
-<td><p></p></td>
-</tr>
-<tr class="odd">
-<td><p>Default container</p></td>
-<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
-</tr>
-<tr class="even">
-<td><p>Default members</p></td>
-<td><p>None</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default member of</p></td>
-<td><p><a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
-</tr>
-<tr class="even">
-<td><p>Protected by ADMINSDHOLDER?</p></td>
-<td><p>Yes</p></td>
-</tr>
-<tr class="odd">
-<td><p>Safe to move out of default container?</p></td>
-<td><p>Yes</p></td>
-</tr>
-<tr class="even">
-<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
-<td><p></p></td>
-</tr>
-<tr class="odd">
-<td><p>Default User Rights</p></td>
-<td><p>See <a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
-</tr>
-</tbody>
-</table>
-
- 
 
 ### <a href="" id="bkmk-remotemanagementusers"></a>Remote Management Users
 
@@ -3197,7 +3196,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3264,7 +3263,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3327,7 +3326,7 @@ This security group has not changed since Windows Server 2008.
 <tbody>
 <tr class="odd">
 <td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;root domain&gt;-518</p></td>
+<td><p>S-1-5-21-&lt;root domain&gt;-518</p></td>
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
@@ -3394,7 +3393,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3442,7 +3441,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv
 | Attribute | Value |
 |-----------|-------|
 | Well-Known SID/RID | S-1-5-32-582 |
-| Type | BuiltIn Local |
+| Type | Builtin Local |
 | Default container | CN=BuiltIn, DC=&lt;domain&gt;, DC= |
 | Default members | None |
 | Default member of | None |
@@ -3463,7 +3462,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper
 | Attribute | Value |
 |-----------|-------|
 | Well-Known SID/RID | S-1-5-32-581 |
-| Type | BuiltIn Local |
+| Type | Builtin Local |
 | Default container | CN=BuiltIn, DC=&lt;domain&gt;, DC= |
 | Default members | Users |
 | Default member of | None |
@@ -3507,7 +3506,7 @@ This security group only applies to Windows Server 2003 and Windows Server 200
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3574,7 +3573,7 @@ This security group includes the following changes since Windows Server 2008:
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>
@@ -3588,7 +3587,7 @@ This security group includes the following changes since Windows Server 2008:
 </tr>
 <tr class="odd">
 <td><p>Default member of</p></td>
-<td><p>Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)</p></td>
+<td><p>None</p></td>
 </tr>
 <tr class="even">
 <td><p>Protected by ADMINSDHOLDER?</p></td>
@@ -3641,7 +3640,7 @@ This security group has not changed since Windows Server 2008.
 </tr>
 <tr class="even">
 <td><p>Type</p></td>
-<td><p>Builtin local</p></td>
+<td><p>Builtin Local</p></td>
 </tr>
 <tr class="odd">
 <td><p>Default container</p></td>

windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md

@@ -68,7 +68,7 @@ If the error occurs again, check the error code against the following table to s
 | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
 | 0x801C03EE | Attestation failed.                                                | Sign out and then sign in again. |
 | 0x801C03EF | The AIK certificate is no longer valid.                            | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync).
+| 0x801C03F2 | Windows Hello key registration failed.                             | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
 | 0x801C044D | Authorization token does not contain device ID.                    | Unjoin the device from Azure AD and rejoin. |
 |            | Unable to obtain user token.                                       | Sign out and then sign in again. Check network and credentials. |
 | 0x801C044E | Failed to receive user credentials input.                          | Sign out and then sign in again. |

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -74,7 +74,7 @@ The hard disk must be partitioned with at least two drives:
 -   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
 -   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
 
-A fixed data volume or removable data volume cannot be marked as an active partition.
+A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives).
 
 When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
 
@@ -99,4 +99,3 @@ When installing the BitLocker optional component on a server you will also need
 | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
-

windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md

@@ -16,7 +16,6 @@ ms.date: 10/18/2019
 ms.custom: bitlocker
 ---
 
-
 # BitLocker cannot encrypt a drive: known TPM issues
 
 This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
@@ -38,8 +37,10 @@ To resolve this issue, follow these steps:
 
 1. Open an elevated PowerShell window and run the following script:
 
-   ```ps
-   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
+   ```powershell
+   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
+   $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
+   if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
    ```
 
 1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.
@@ -88,7 +89,7 @@ To verify that you have correctly identified this issue, use one of the followin
 
 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
 
-   ```ps
+   ```powershell
    Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
    ```
 
@@ -115,11 +116,11 @@ The domain and forest functional level of the environment may still be set to Wi
 To resolve this issue, follow these steps:
 
 1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
-1. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
-1. In the script, modify the value of **strPathToDomain** to your domain name.
-1. Open an elevated PowerShell window, and run the following command:
+2. Download [Add-TPMSelfWriteACE.vbs](https://go.microsoft.com/fwlink/p/?LinkId=167133).
+3. In the script, modify the value of **strPathToDomain** to your domain name.
+4. Open an elevated PowerShell window, and run the following command:
 
-   ```ps
+   ```powershell
    cscript <Path>Add-TPMSelfWriteACE.vbs
    ```
 

windows/security/threat-protection/TOC.md

@@ -185,9 +185,7 @@
 ###### [Report on antivirus protection]()
 ###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
 ###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
-   
-###### [Manage updates and apply baselines]()
-###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
 ###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
 ###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
 ###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
@@ -274,7 +272,7 @@
 #### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
 
 #### [Deploy]()
-##### [App-based deployment](microsoft-defender-atp/ios-install.md)
+##### [Deploy Microsoft Defender for Endpoint for iOS via Intune](microsoft-defender-atp/ios-install.md)
 
 #### [Configure]()
 ##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)

windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md

@@ -12,7 +12,6 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---

windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md

@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: 
 manager: dansimp
-ms.date: 11/06/2020
+ms.date: 12/05/2020
 ---
 
 # Manage Microsoft Defender Antivirus updates and apply baselines
@@ -32,10 +32,9 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
 
 > [!IMPORTANT]
 > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.  
-> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
 > 
-> You can use the below URL to find out what are the current versions:
-> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
+> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
 
 ## Security intelligence updates
 
@@ -48,6 +47,8 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
 
 Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). 
 
+For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes).
+
 Engine updates are included with security intelligence updates and are released on a monthly cadence.
 
 ## Product updates
@@ -77,6 +78,22 @@ All our updates contain
 
 
 <details>
+<summary> November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)</summary>
+
+&ensp;Security intelligence update version: **1.327.1854.0**  
+&ensp;Released: **December 03, 2020**  
+&ensp;Platform: **4.18.2011.6**  
+&ensp;Engine: **1.1.17700.4**  
+&ensp;Support phase: **Security and Critical Updates**
+    
+### What's new
+- Improved SmartScreen status support logging
+- Apply CPU throttling policy to manually initiated scans
+
+### Known Issues
+No known issues  
+<br/>
+</details><details>
 <summary> October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)</summary>
 
 &ensp;Security intelligence update version: **1.327.7.0**  
@@ -348,11 +365,73 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve
 
 Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
 
+## Updates for Deployment Image Servicing and Management (DISM)
+
+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+
+<details>
+<summary>1.1.2012.01</summary>
+
+&ensp;Package version: **1.1.2012.01**    
+&ensp;Platform version: **4.18.2010.7**   
+&ensp;Engine version: **1.17600.5**  
+&ensp;Signature version: **1.327.1991.0**    
+    
+### Fixes
+- None
+
+### Additional information
+- None  
+<br/>
+</details><details>
+<summary>1.1.2011.02</summary>
+
+&ensp;Package version: **1.1.2011.02**    
+&ensp;Platform version: **4.18.2010.7**   
+&ensp;Engine version: **1.17600.5**  
+&ensp;Signature version: **1.327.658.0**    
+    
+### Fixes
+- None
+
+### Additional information
+- Refreshed Microsoft Defender Antivirus signatures  
+<br/>
+</details><details>
+<summary>1.1.2011.01</summary>
+
+&ensp;Package version: **1.1.2011.01**    
+&ensp;Platform version: **4.18.2009.7**  
+&ensp;Engine version: **1.17600.5**  
+&ensp;Signature version: **1.327.344.0**    
+    
+### Fixes
+- None
+
+### Additional information
+- None  
+<br/>
+</details><details>
+<summary>1.1.2009.10</summary>
+
+&ensp;Package version: **1.1.2011.01**    
+&ensp;Platform version: **4.18.2008.9**   
+&ensp;Engine version: **1.17400.5**  
+&ensp;Signature version: **1.327.2216.0**    
+    
+### Fixes
+- None
+
+### Additional information
+- Added support for Windows 10 RS1 or later OS install images.  
+<br/>
+</details>
 
 ## See also
 
 | Article | Description  |
 |:---|:---|
+|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images)  | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images.  |
 |[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. |
 |[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
 |[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |

windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md

@@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer:
 manager: dansimp
-ms.date: 11/06/2020
+ms.date: 12/11/2020
 ---
 
 # Microsoft Defender Antivirus compatibility
@@ -72,13 +72,13 @@ The following table summarizes the functionality and features that are available
 |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) |
 |--|--|--|--|--|--|
 |Active mode <br/><br/>  |Yes |No |Yes |Yes |Yes |
-|Passive mode  |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
+|Passive mode  |Yes |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes |
 |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md)  |No |No |Yes |Yes |Yes |
 |Automatic disabled mode  |No |Yes |No |No |No |
 
 - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
 - In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not used as the primary antivirus solution, it can still detect and remediate malicious items.
 - When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
 
 ## Keep the following points in mind
@@ -95,7 +95,7 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
 > You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
 
 > [!IMPORTANT]
-> If you are using [Microsoft Endpoint DLP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled, even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
+> If you are using [Microsoft Endpoint DLP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled, even when Microsoft Defender Antivirus is running in passive mode. Microsoft Defender Antivirus won't conflict with third-party antivirus solutions installed on the endpoint. Endpoint DLP depends on real-time protection to operate.
 
 ## See also
 
@@ -104,3 +104,4 @@ If you uninstall the other product, and choose to use Microsoft Defender Antivir
 - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
 - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
 - [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
+- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)

windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 12/07/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -25,6 +25,8 @@ manager: dansimp
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
+Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
+
 With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).  
 
 Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
@@ -42,5 +44,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
 ## Related articles
 
 - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016)
 - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 09/07/2020
+ms.date: 12/10/2020
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -32,21 +32,22 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern
 
 Application Guard has been created to target several types of systems:
 
-- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
 
-- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
 
-- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
 
-- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
 ## Related articles
 
 |Article |Description |
-|------|------------|
+|:------|:------------|
 |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
 |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
 |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
 |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
-| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
+| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
+| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
 |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|

windows/security/threat-protection/microsoft-defender-atp/android-intune.md

@@ -109,10 +109,9 @@ list in Microsoft Defender Security Center.
 Defender for Endpoint for Android supports Android Enterprise enrolled devices.
 
 For more information on the enrollment options supported by Intune, see 
-[Enrollment
-Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
+[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
 
-Currently only Personal devices with Work Profile enrolled  are supported for deployment. 
+**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
 
 
 
@@ -244,6 +243,45 @@ the *Required* section \> **Add group,** selecting the user group and click
 above. Then select **Review + Save** and then **Save** again to commence
 assignment.
 
+### Auto Setup of Always-on VPN 
+Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to setup VPN service while onboarding.
+1.	On **Devices** Page go to **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
+Select **Device restrictions** under one of the following, based on your device enrollment type 
+- **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
+- **Personally-Owned Work Profile**
+
+Select **Create**.
+ 
+   > ![Image of devices configuration profile Create](images/1autosetupofvpn.png)
+    
+2. **Configuration Settings** 
+  Provide a **Name** and a **Description** to uniquely identify the configuration profile. 
+
+   > ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png)
+   
+ 3. Select **Connectivity** and configure VPN:
+- Enable **Always-on VPN** 
+Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. 
+- Select **Custom** in VPN client dropdown list
+Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. 
+    > [!NOTE]
+    > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN.
+
+- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**  
+- **Lockdown mode** Not configured (Default) 
+
+     ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png)
+   
+4. **Assignment** 
+In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. 
+
+     ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png)
+
+5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. 
+The device configuration profile is now assigned to the selected user group.    
+
+    ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png)
+
 ## Complete onboarding and check status
 
 1. Confirm the installation status of Microsoft Defender for Endpoint for Android by
@@ -254,8 +292,7 @@ displayed here.
     > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
 
 
-2. On the device, you can confirm the same by going to the **work profile** and
-confirm that Defender for Endpoint is available.
+2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally-owned devices with work profile**.  If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
 
     ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
 

windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md

@@ -14,10 +14,10 @@ ms.author: deniseb
 ms.reviewer: sugamar, jcedola
 manager: dansimp
 ms.custom: asr
-ms.date: 11/30/2020
+ms.date: 12/10/2020
 ---
 
-# Reduce attack surfaces with attack surface reduction rules
+# Use attack surface reduction rules to prevent malware infection
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
@@ -26,17 +26,17 @@ ms.date: 11/30/2020
 
 * [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-## Overview
+## Why attack surface reduction rules are important
 
-Your attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.
+Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
 
-Attack surface reduction rules target certain software behaviors that are often abused by attackers. Such behaviors include:
+Attack surface reduction rules target certain software behaviors, such as:
 
 - Launching executable files and scripts that attempt to download or run files;
 - Running obfuscated or otherwise suspicious scripts; and 
 - Performing behaviors that apps don't usually initiate during normal day-to-day work.
 
-Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
+Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.
 
 For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
@@ -44,7 +44,7 @@ For more information about configuring attack surface reduction rules, see [Enab
 
 You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). 
 
-:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule":::
+:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
 
 In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
 
@@ -52,9 +52,49 @@ In the recommendation details pane, check the user impact to determine what perc
 
 Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
 
-## Notifications when a rule is triggered
+## Warn mode for users
 
-Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
+(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
+
+Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. 
+
+### Requirements for warn mode to work
+
+Warn mode is supported on devices running the following versions of Windows:
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
+
+In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed   
+- Minimum platform release requirement: `4.18.2008.9`  
+- Minimum engine release requirement: `1.1.17400.5`
+
+For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform).
+
+### Cases where warn mode is not supported
+
+Warn mode is not supported for the following attack surface reduction rules:
+
+- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)
+- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)
+- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
+
+In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
+
+## Notifications and alerts
+
+Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
+
+In addition, when certain attack surface reduction rules are triggered, alerts are generated. 
+
+Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
+
+## Advanced hunting and attack surface reduction events
+
+You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
+
+For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. 
+
+For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
 
 ## Attack surface reduction features across Windows versions
 
@@ -93,7 +133,7 @@ You can review the Windows event log to view events generated by attack surface
 
 5. Select **OK**.
 
-This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
+You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
 
 |Event ID | Description |
 |---|---|
@@ -105,25 +145,84 @@ The "engine version" listed for attack surface reduction events in the event log
 
 ## Attack surface reduction rules
 
-The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
+The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. 
+
+If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs.
+
 
 | Rule name | GUID | File & folder exclusions | Minimum OS supported |
-|-----|----|---|---|
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|:-----|:-----:|:-----|:-----|
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater  |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
 |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
 |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+
+### Block Adobe Reader from creating child processes
+
+This rule prevents attacks by blocking Adobe Reader from creating additional processes.
+
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
+
+This rule was introduced in: 
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+
+Intune name: `Process creation from Adobe Reader (beta)`
+
+Configuration Manager name: Not yet available
+
+GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
+
+### Block all Office applications from creating child processes
+
+This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
+
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
+
+This rule was introduced in: 
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+
+Intune name: `Office apps launching child processes`
+
+Configuration Manager name: `Block Office application from creating child processes`
+
+GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
+
+### Block credential stealing from the Windows local security authority subsystem
+
+This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
+
+LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
+
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+
+Intune name: `Flag credential stealing from the Windows local security authority subsystem`
+
+Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
+
+GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
 
 ### Block executable content from email client and webmail
 
@@ -138,17 +237,42 @@ This rule was introduced in:
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
+Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
 
-Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
+Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail`
 
 GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
 
-### Block all Office applications from creating child processes
+### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
 
-This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
+This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
 
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
+- Executable files (such as .exe, .dll, or .scr)
+
+Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
+
+> [!IMPORTANT]
+> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
+>
+>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+
+This rule was introduced in: 
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+
+Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
+
+Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
+
+GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
+
+### Block execution of potentially obfuscated scripts
+
+This rule detects suspicious properties within an obfuscated script.
+
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
 
 This rule was introduced in:
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@@ -156,11 +280,29 @@ This rule was introduced in:
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: Office apps launching child processes
+Intune name: `Obfuscated js/vbs/ps/macro code`
 
-Configuration Manager name: Block Office application from creating child processes
+Configuration Manager name: `Block execution of potentially obfuscated scripts`
 
-GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
+GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
+
+### Block JavaScript or VBScript from launching downloaded executable content
+
+This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
+
+Although not common, line-of-business applications sometimes use scripts to download and launch installers.
+
+This rule was introduced in:  
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+
+Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
+
+Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
+
+GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
 
 ### Block Office applications from creating executable content
 
@@ -174,9 +316,9 @@ This rule was introduced in:
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
 
-Intune name: Office apps/macros creating executable content
+Intune name: `Office apps/macros creating executable content`
 
-SCCM name: Block Office applications from creating executable content
+SCCM name: `Block Office applications from creating executable content`
 
 GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
 
@@ -196,130 +338,50 @@ This rule was introduced in:
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: Office apps injecting code into other processes (no exceptions)
+Intune name: `Office apps injecting code into other processes (no exceptions)`
 
-Configuration Manager name: Block Office applications from injecting code into other processes
+Configuration Manager name: `Block Office applications from injecting code into other processes`
 
 GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
 
-### Block JavaScript or VBScript from launching downloaded executable content
+### Block Office communication application from creating child processes
 
-This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
+This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
 
-Although not common, line-of-business applications sometimes use scripts to download and launch installers.
+This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
 
 This rule was introduced in: 
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
+Intune name: `Process creation from Office communication products (beta)`
 
-Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
+Configuration Manager name: Not available
 
-GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
+GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
 
-### Block execution of potentially obfuscated scripts
+### Block persistence through WMI event subscription
 
-This rule detects suspicious properties within an obfuscated script.
-
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Obfuscated js/vbs/ps/macro code
-
-Configuration Manager name: Block execution of potentially obfuscated scripts.
-
-GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
-
-### Block Win32 API calls from Office macros
-
-This rule prevents VBA macros from calling Win32 APIs.
-
-Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Win32 imports from Office macro code
-
-Configuration Manager name: Block Win32 API calls from Office macros
-
-GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
-
-### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
-This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
-
-Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
+This rule prevents malware from abusing WMI to attain persistence on a device.
 
 > [!IMPORTANT]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. <br/><br/> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
->
->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+> File and folder exclusions don't apply to this attack surface reduction rule.
+
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
 
 This rule was introduced in: 
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
+- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
 
-Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
+Intune name: Not available
 
-Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+Configuration Manager name: Not available
 
-GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
-
-### Use advanced protection against ransomware
-
-This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
-
-> [!NOTE]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
-
-This rule was introduced in: 
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Advanced ransomware protection
-
-Configuration Manager name: Use advanced protection against ransomware
-
-GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
-
-### Block credential stealing from the Windows local security authority subsystem
-
-This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
-
-LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
-
-> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Flag credential stealing from the Windows local security authority subsystem
-
-Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
-
-GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
+GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
 
 ### Block process creations originating from PSExec and WMI commands
 
@@ -333,7 +395,7 @@ This rule was introduced in:
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 
-Intune name: Process creation from PSExec and WMI commands
+Intune name: `Process creation from PSExec and WMI commands`
 
 Configuration Manager name: Not applicable
 
@@ -349,69 +411,50 @@ This rule was introduced in:
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: Untrusted and unsigned processes that run from USB
+Intune name: `Untrusted and unsigned processes that run from USB`
 
-Configuration Manager name: Block untrusted and unsigned processes that run from USB
+Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
 
 GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
 
-### Block Office communication application from creating child processes
+### Block Win32 API calls from Office macros
 
-This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
+This rule prevents VBA macros from calling Win32 APIs.
 
-This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
+
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+
+Intune name: `Win32 imports from Office macro code`
+
+Configuration Manager name: `Block Win32 API calls from Office macros`
+
+GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
+
+### Use advanced protection against ransomware
+
+This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
 
 > [!NOTE]
-> This rule applies to Outlook and Outlook.com only.
+> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
 
 This rule was introduced in: 
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
 - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
 
-Intune name: Process creation from Office communication products (beta)
+Intune name: `Advanced ransomware protection`
 
-Configuration Manager name: Not yet available
+Configuration Manager name: `Use advanced protection against ransomware`
 
-GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
+GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
 
-### Block Adobe Reader from creating child processes
-
-This rule prevents attacks by blocking Adobe Reader from creating additional processes.
-
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
-
-This rule was introduced in: 
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: Process creation from Adobe Reader (beta)
-
-Configuration Manager name: Not yet available
-
-GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
-
-### Block persistence through WMI event subscription
-
-This rule prevents malware from abusing WMI to attain persistence on a device.
-
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
-
-This rule was introduced in: 
-- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
-- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
-
-Intune name: Not yet available
-
-Configuration Manager name: Not yet available
-
-GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
-
-## Related topics
+## See also
 
 - [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
 

windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md

@@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 10/21/2020
+ms.date: 12/07/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -32,34 +32,32 @@ ms.custom: AIR
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
 
 
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. 
-
-Watch the following video to see how automated investigation and remediation works:
+Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. Want to see how it works? Watch the following video:
 
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
 
-Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
+The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
 
 > [!TIP]
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink).
 
 ## How the automated investigation starts
 
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
+When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. To learn more about what happens after a verdict is reached, see [Automated investigation results and remediation actions](manage-auto-investigation.md#automated-investigation-results-and-remediation-actions). 
 
 >[!NOTE]
->Currently, automated investigation only supports the following OS versions:
+>Currently, AIR only supports the following OS versions:
 >- Windows Server 2019
 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
 >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
->- Later versions of Windows 10
+>- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later
 
 ## Details of an automated investigation
 
 During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
 
 |Tab |Description |
-|--|--|
+|:--|:--|
 |**Alerts**| The alert(s) that started the investigation.|
 |**Devices** |The device(s) where the threat was seen.|
 |**Evidence** |The entities that were found to be malicious during an investigation.|
@@ -82,20 +80,18 @@ As alerts are triggered, and an automated investigation runs, a verdict is gener
 
 As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).)  
 
-Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. 
+Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). 
 
-All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
+All remediation actions, whether pending or completed, can be viewed in the [Action Center](auto-investigation-action-center.md) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).)
 
 ## Next steps
 
 - [Get an overview of the automated investigations dashboard](manage-auto-investigation.md)
-
 - [Learn more about automation levels](automation-levels.md)
-
 - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
 
 ## See also
 
+- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
 - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-
 - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)

windows/security/threat-protection/microsoft-defender-atp/common-errors.md

@@ -46,6 +46,7 @@ DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason
 NotFound | Not Found (404) | General Not Found error message.
 ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
 InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
+TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU.
 
 ## Body parameters are case-sensitive
 

windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md

@@ -50,6 +50,11 @@ Starting in Configuration Manager version 2002, you can onboard the following op
 - Windows Server 2016, version 1803 or later
 - Windows Server 2019
 
+>[!NOTE]
+>For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md).
+
+
+
 ### Onboard devices using System Center Configuration Manager
 
 

windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md

@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 audience: ITPro
-ms.date: 11/05/2020
+ms.date: 12/10/2020
 ms.reviewer: v-maave
 manager: dansimp
 ms.custom: asr
@@ -28,7 +28,7 @@ ms.custom: asr
 
 ## What is controlled folder access?
 
-Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). 
+Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). 
 
 Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
@@ -36,19 +36,41 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi
 
 Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. 
 
-Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
+Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. 
 
-Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
+Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
+
+Apps can also be added manually to the trusted list  by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console.
+
+## Why controlled folder access is important
 
 Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
 You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
+Controlled folder access is supported on the following versions of Windows:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
 
-## Requirements
+## Windows system folders are protected by default
+
+Windows system folders are protected by default, along with several other folders: 
+
+- `c:\Users\<username>\Documents`
+- `c:\Users\Public\Documents`
+- `c:\Users\<username>\Pictures`
+- `c:\Users\Public\Pictures`
+- `c:\Users\Public\Videos`
+- `c:\Users\<username>\Music`
+- `c:\Users\Public\Music`
+- `c:\Users\<username>\Favorites`
+
+> [!NOTE]
+> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default.
+
+## Requirements for controlled folder access
 
 Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
 
@@ -56,7 +78,7 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti
 
 Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled.
 
 Example query:
 
@@ -77,19 +99,19 @@ You can review the Windows event log to see events that are created when control
 
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
 
-5. Click **OK**.
+5. Select **OK**.
 
-After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table:
+The following table shows events related to controlled folder access:
 
 |Event ID | Description |
-|---|---|
+|:---|:---|
 |5007 | Event when settings are changed |
 |1124 | Audited controlled folder access event | 
 |1123 | Blocked controlled folder access event |
 
 ## View or change the list of protected folders
 
-### Windows 10 security app
+You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 
 
 1. On your Windows 10 device, open the Windows Security app.
 
@@ -105,10 +127,11 @@ After following the procedure, you have created a custom view that shows events
    
    - To remove a folder, select it, and then select **Remove**. 
 
+> [!NOTE]
+> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list.
+
 ## See also
 
-- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-
-- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network
-
-- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders.
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
+- [Customize controlled folder access](customize-controlled-folders.md)
+- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders)

windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md

@@ -37,7 +37,11 @@ This article describes how to customize the following settings of the controlled
 
 ## Protect additional folders
 
-Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list.
+
+Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, and Movies.
+
+You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+
 
 Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults.
 
@@ -49,11 +53,17 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 
 1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
 
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**.
 
-3. Under the **Controlled folder access** section, select **Protected folders**.
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then scroll down to the **Ransomware protection** section.
+
+3. Click the **Manage ransomware protection** link to open the **Ransomware protection** pane.
+
+4. Under the **Controlled folder access** section, click the **Protected folders** link.
+
+5. Click **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays.
+
+4. Click **Add a protected folder** and follow the prompts to add folders.
 
-4. Select **Add a protected folder** and follow the prompts to add apps.
 
 ### Use Group Policy to protect additional folders
 

windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md

@@ -46,40 +46,40 @@ The **Use default** configuration for each of the mitigation settings indicates
 
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article.
 
-Mitigation | Description | Can be applied to | Audit mode available
--|-|-|-
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+| Mitigation | Description | Can be applied to | Audit mode available |
+| ---------- | ----------- | ----------------- | -------------------- |
+| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
+| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] |
+| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] |
 
 > [!IMPORTANT]
 > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 >
 >
-> Enabled in **Program settings** | Enabled in **System settings** | Behavior
-> -|-|-
-> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
-> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
-> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
-> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+> | Enabled in **Program settings** | Enabled in **System settings** | Behavior |
+> | ------------------------------- | ------------------------------ | -------- |
+> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
+> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
+> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
+> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
 >
 >
 >
@@ -218,29 +218,29 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
 
 <a id="cmdlets-table"></a>
 
-Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
-- | - | - | -
-Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
-Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
-Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available
-Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
-Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
-Validate heap integrity | System and app-level |   TerminateOnError  | Audit not available
-Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
-Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
-Block remote images | App-level only |   BlockRemoteImages  | Audit not available
-Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
-Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
-Disable extension points | App-level only |   ExtensionPoint  | Audit not available
-Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
-Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available
-Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available
-Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available
-Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available
-Validate handle usage | App-level only |   StrictHandle  | Audit not available
-Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available
-Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available
+| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
+| ---------- | ---------- | ------------------ | ----------------- |
+| Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available |
+| Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available |
+| Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available |
+| Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available |
+| Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available |
+| Validate heap integrity | System and app-level |   TerminateOnError  | Audit not available |
+| Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode |
+| Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad |
+| Block remote images | App-level only |   BlockRemoteImages  | Audit not available |
+| Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly |
+| Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned |
+| Disable extension points | App-level only |   ExtensionPoint  | Audit not available |
+| Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall |
+| Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess |
+| Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Validate handle usage | App-level only |   StrictHandle  | Audit not available |
+| Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available |
+| Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
 
@@ -248,11 +248,13 @@ Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 
+<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via PowerShell cmdlets.
+
 ## Customize the notification
 
 For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center).
 
-## See also
+## See also:
 
 * [Protect devices from exploits](exploit-protection.md)
 * [Evaluate exploit protection](evaluate-exploit-protection.md)

windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md

@@ -15,7 +15,7 @@ ms.localizationpriority: medium
 ms.custom: 
 - next-gen
 - edr
-ms.date: 08/21/2020
+ms.date: 12/10/2020
 ms.collection: 
 - m365-security-compliance 
 - m365initiative-defender-endpoint 
@@ -39,7 +39,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
 :::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
 
 > [!NOTE]
-> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
+> To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
 
 ## What happens when something is detected?
 
@@ -81,6 +81,10 @@ The following image shows an instance of unwanted software that was detected and
 
 ## Frequently asked questions 
 
+### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
+
+We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Microsoft Defender for Endpoint to take actions based on post-breach behavioral EDR detections. 
+
 ### Will EDR in block mode have any impact on a user's antivirus protection? 
 
 No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. 

windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md

@@ -36,6 +36,9 @@ The threat intelligence data set for this has been managed by Microsoft.
 
 By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
 
+> [!NOTE]
+> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. 
+
 ### Before you begin
 It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
 - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).

windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md

@@ -27,38 +27,30 @@ ms.topic: conceptual
 > [!NOTE]
 > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
 
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
 ## Configure compliance policy against jailbroken devices
 
 To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
 
 > [!NOTE]
-> Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device.
+> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
 
 Follow the steps below to create a compliance policy against jailbroken devices.
 
 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-policy.png)
+    > ![Create Policy](images/ios-jb-policy.png)
 
 1. Specify a name of the policy, example "Compliance Policy for Jailbreak".
 1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-settings.png)
+    > ![Policy Settings](images/ios-jb-settings.png)
 
 1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**.
 
     > [!div class="mx-imgBorder"]
-    > ![Image of Microsoft Endpoint Manager Admin Center](images/ios-jb-actions.png)
+    > ![Policy Actions](images/ios-jb-actions.png)
 
 1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**.
 1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
@@ -70,6 +62,26 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
 > [!NOTE]
 > Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
 
-## Web Protection
+## Web Protection and VPN
 
-By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
+By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
+
+While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
+
+1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**.
+1. Click or tap the "i" button for Microsoft Defender ATP.
+1. Toggle off **Connect On Demand** to disable VPN.
+
+    > [!div class="mx-imgBorder"]
+    > ![VPN config connect on demand](images/ios-vpn-config.png)
+
+> [!NOTE]
+> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
+
+### Co-existence of multiple VPN profiles
+
+Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+
+## Report unsafe site
+
+Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.

windows/security/threat-protection/microsoft-defender-atp/ios-install.md

@@ -20,44 +20,50 @@ ms.collection:
 ms.topic: conceptual
 ---
 
-# App-based deployment for Microsoft Defender for Endpoint for iOS
+# Deploy Microsoft Defender for Endpoint for iOS
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
-
-Deployment devices need to be enrolled on Intune Company portal. Refer to
-[Enroll your
-device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
-learn more about Intune device enrollment
+This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
 
 ## Before you begin
 
--   Ensure you have access to [Microsoft Endpoint manager admin
-    center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
--   Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint
-    license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to
-    users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
-    for instructions on how to assign licenses.
+- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
 
+> [!NOTE]
+> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
 
 ## Deployment steps
 
-To install Defender for Endpoint for iOS, end-users can visit
-<https://aka.ms/defenderios> on their iOS devices. This link will open the
-TestFlight application on their device or prompt them to install TestFlight. On
-the TestFlight app, follow the onscreen instructions to install Defender for Endpoint.
+Deploy Defender for Endpoint for iOS via Intune Company Portal.
 
+### Add iOS store app
 
-![Image of deployment steps](images/testflight-get.png)
+1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-1.png)
+
+1. On the Add app page, click on **Search the App Store** and type **Microsoft Defender ATP** in the search bar. In the search results section, click on *Microsoft Defender ATP* and click **Select**.
+
+1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.
+
+1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**.
+
+    > [!NOTE]
+    > The selected user group should consist of Intune enrolled users.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-2.png)
+
+1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page.
+
+1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-3.png)
 
 ## Complete onboarding and check status
 
@@ -66,16 +72,66 @@ the TestFlight app, follow the onscreen instructions to install Defender for End
 
     ![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
 
-2.  Tap the Defender for Endpoint app icon and follow the on-screen
-    instructions to complete the onboarding steps. The details include end-user
-    acceptance of iOS permissions required by Defender for Endpoint for iOS.
+2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS.
 
-3.  Upon successful onboarding, the device will start showing up on the Devices
-    list in Microsoft Defender Security Center.
+3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
 
     > [!div class="mx-imgBorder"]
     > ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
 
+## Configure Microsoft Defender for Endpoint for Supervised Mode
+
+The Microsoft Defender for Endpoint for iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.
+
+### Configure Supervised Mode via Intune
+
+Intune allows you to configure the Defender for iOS app through an App Configuration policy.
+
+    > [!NOTE]
+    > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-4.png)
+
+1. In the *Create app configuration policy* page, provide the following information:
+    - Policy Name
+    - Platform: Select iOS/iPadOS
+    - Targeted app: Select **Microsoft Defender ATP** from the list
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-5.png)
+
+1. In the next screen, select **Use configuration designer** as the format. Specify the following property:
+    - Configuration Key: issupervised
+    - Value type: String
+    - Configuration Value: {{issupervised}}
+    
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-6.png)
+
+1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.
+
+1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).
+
+   When deploying to user groups, a user must sign in to a device before the policy applies.
+
+   Click **Next**.
+
+1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
+
+1. Next, for enhanced Anti-phishing capabilities, you can deploy a custom profile on the supervised iOS devices. Follow the steps below:
+    - Download the config profile from [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile)
+    - Navigate to **Devices** -> **iOS/iPadOS** -> **Configuration profiles** -> **Create Profile**
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-7.png)
+
+    - Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded above.
+    - In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Click **Next**.
+    - On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
+
 ## Next Steps
 
 [Configure Defender for Endpoint for iOS features](ios-configure-features.md)

windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md

@@ -30,6 +30,9 @@ ms.topic: conceptual
 
 Learn how to deploy Microsoft Defender for Endpoint for macOS with Jamf Pro.
 
+> [!NOTE]
+> If you are using macOS Catalina (10.15.4) or newer versions of macOS, see [New configuration profiles for macOS Catalina and newer versions of macOS](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies).
+
 This is a multi step process. You'll need to complete all of the following steps:
 
 - [Login to the Jamf Portal](mac-install-jamfpro-login.md)
@@ -40,4 +43,3 @@ This is a multi step process. You'll need to complete all of the following steps
 
 
 
-

windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md

@@ -17,7 +17,7 @@ ms.collection:
 - m365-security-compliance 
 - m365initiative-defender-endpoint 
 ms.topic: conceptual
-ms.date: 09/15/2020
+ms.date: 12/07/2020
 ---
 
 # Review and approve remediation actions following an automated investigation
@@ -39,13 +39,13 @@ remediation actions can occur automatically or only upon approval by your organi
 
 Here are a few examples:
 
-- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
+- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
 
 - Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).)
 
-- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
+- Example 3: Tailspin Toys has their device groups set to **No automated response** (not recommended). In this case, automated investigations do not occur. No remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
 
-Whether taken automatically or upon approval, remediation actions following an automated investigation include the following:
+Whether taken automatically or upon approval, an automated investigation can result in one or more of the remediation actions:
 - Quarantine a file
 - Remove a registry key 
 - Kill a process 
@@ -55,11 +55,11 @@ Whether taken automatically or upon approval, remediation actions following an a
 
 ### Automated investigation results and remediation actions
 
-The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case. 
+The following table summarizes remediation actions, how automation level settings affect whether actions are taken automatically or upon approval, and what to do. 
 
 |Device group setting | Automated investigation results | What to do |
 |:---|:---|:---|
-|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
+|**Full - remediate threats automatically** (the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
 |**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
 |**Semi - require approval for any remediation**  |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval to proceed.  |[Approve (or reject) pending actions](#review-pending-actions) |
 |**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval. <br/><br/>If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)<br/><br/>2. [Review completed actions](#review-completed-actions) |
@@ -67,7 +67,7 @@ The following table summarizes remediation actions following an automated invest
 |**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence. <br/><br/>If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval. <br/><br/>If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically.  |1. [Approve (or reject) pending actions](#review-pending-actions)<br/><br/>2. [Review completed actions](#review-completed-actions)  |
 |**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence. <br/><br/>Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions)  | 
 |Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence. <br/><br/>No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
-|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
+|**No automated response** (not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
 
 In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
 
@@ -85,7 +85,7 @@ In Microsoft Defender for Endpoint, all verdicts are [tracked and viewable in th
 
 4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. 
 
-   Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. 
+   Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can select the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. 
 
 ## Review completed actions
 

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Microsoft Defender Advanced Threat Protection
-description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+title: Microsoft Defender for Endpoint
+description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats.
+keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-# Microsoft Defender Advanced Threat Protection
+# Microsoft Defender for Endpoint
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
@@ -124,15 +124,16 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
 
 **[Integration with Microsoft solutions](threat-protection-integration.md)** <br>
 Defender for Endpoint directly integrates with various Microsoft solutions, including:
-- Intune
-- Microsoft Defender for Office 365 
-- Microsoft Defender for Identity 
 - Azure Security Center
-- Skype for Business 
+- Azure Sentinel
+- Intune
 - Microsoft Cloud App Security
+- Microsoft Defender for Identity
+- Microsoft Defender for Office
+- Skype for Business
 
-**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
- With Microsoft Threat Protection, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
+**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**<br>
+With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
 
 
 ## Related topic

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md

@@ -74,7 +74,7 @@ This topic describes how to install, configure, update, and use Defender for End
 
 Microsoft Defender for Endpoint for Android supports installation on both modes of
 enrolled devices - the legacy Device Administrator and Android Enterprise modes.
-**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
+**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrolments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
 
 Deployment of Microsoft Defender for Endpoint for Android is via Microsoft Intune (MDM).
 For more information, see [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md).

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md

@@ -24,53 +24,51 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-The public preview of Defender for Endpoint for iOS will offer protection
-against phishing and unsafe network connections from websites, emails, and apps.
-All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center. The portal gives security teams a centralized view of threats on
+**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
 iOS devices along with other platforms.
 
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+
 ## Pre-requisites
 
-
 **For End Users**
 
--   Defender for Endpoint license assigned to the end user(s) of the app. Refer
-    [Assign licenses to
-    users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
-    for instructions on how to assign licenses.
+- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
+
+- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
+    - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+
+- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
 
 **For Administrators**
 
--   Access to the Microsoft Defender Security Center portal
+- Access to the Microsoft Defender Security Center portal.
 
--   Access to [Microsoft Endpoint Manager admin
-    center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
-    to enrolled user groups in your organization
+    > [!NOTE]
+    > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
+
+- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
 
 **System Requirements**
 
--   iOS devices running iOS 11.0 and later
+- iOS devices running iOS 11.0 and above.
 
--   Device is enrolled with Intune Company Portal
-    [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
+- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+
+> [!NOTE]
+> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+
+## Installation instructions
+
+Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
+For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
 
 ## Resources
 
--   Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
-
--   Provide feedback through in-app feedback system or through [SecOps
-    portal](https://securitycenter.microsoft.com)
+- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
 
+- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com)
 
 ## Next steps
 

windows/security/threat-protection/microsoft-defender-atp/non-windows.md

@@ -42,38 +42,38 @@ non-Windows platforms, enabling them to get a full picture of what's happening
 in their environment, which empowers them to more quickly assess and respond to
 threats.
 
-## Microsoft Defender for Endpoint for Mac 
+## Microsoft Defender for Endpoint on macOS 
 
-Microsoft Defender for Endpoint for Mac offers antivirus and endpoint detection and response (EDR) capabilities for the three
+Microsoft Defender for Endpoint on macOS offers antivirus and endpoint detection and response (EDR) capabilities for the three
 latest released versions of macOS. Customers can deploy and manage the solution
 through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
 applications on macOS, Microsoft Auto Update is used to manage Microsoft
-Defender for Endpoint for Mac updates. For information about the key features and
+Defender for Endpoint on Mac updates. For information about the key features and
 benefits, read our
 [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
 
-For more details on how to get started, visit the Defender for Endpoint for Mac
+For more details on how to get started, visit the Defender for Endpoint on macOS
 [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
 
-## Microsoft Defender for Endpoint for Linux
+## Microsoft Defender for Endpoint on Linux
 
-Microsoft Defender for Endpoint for Linux offers preventative (AV) capabilities for Linux
+Microsoft Defender for Endpoint on Linux offers preventative (AV) capabilities for Linux
 servers. This includes a full command line experience to configure and manage
 the agent, initiate scans, and manage threats. We support recent versions of the
 six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
-Defender for Endpoint for Linux can be deployed and configured using Puppet, Ansible, or
+Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or
 using your existing Linux configuration management tool. For information about
 the key features and benefits, read our
 [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
 
-For more details on how to get started, visit the Microsoft Defender for Endpoint for
+For more details on how to get started, visit the Microsoft Defender for Endpoint on
 Linux
 [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
 
-## Microsoft Defender for Endpoint for Android
+## Microsoft Defender for Endpoint on Android
 
-Microsoft Defender for Endpoint for Android is our mobile threat defense solution for
+Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
 devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
 and Device Administrator modes are supported. On Android, we offer web
 protection, which includes anti-phishing, blocking of unsafe connections, and
@@ -83,11 +83,20 @@ through integration with Microsoft Endpoint Manager and Conditional Access. For
 information about the key features and benefits, read our
 [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
 
-For more details on how to get started, visit the Microsoft Defender for Endpoint for
+For more details on how to get started, visit the Microsoft Defender for Endpoint on
 Android
 [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
 
+## Microsoft Defender for Endpoint on iOS
 
+Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
+running iOS 11.0 and higher. Both Supervised and Unsupervised devices are supported. 
+On iOS, we offer web protection which includes anti-phishing, blocking unsafe connections, and 
+setting custom indicators. For more information about the key features and benefits, 
+read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS). 
+
+For more details on how to get started, visit the Microsoft Defender for Endpoint 
+on iOS [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios).
 
 ## Licensing requirements 
 
@@ -95,7 +104,7 @@ Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five co
 devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud
 Solution Provider (CSP).
 
-Customers can obtain Microsoft Defender for Endpoint for Mac through a standalone
+Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone
 Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
 Security.
 

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -54,9 +54,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 ## Preview features
 
 The following features are included in the preview release:
-- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, and use Microsoft Defender for Endpoint for iOS.
-
-- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android.
 
 - [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
 

windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md

@@ -1,16 +1,15 @@
 ---
-title: Integrate Microsoft Defender ATP with other Microsoft solutions
-ms.reviewer: 
-description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center.
-keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
+title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions
+description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Security Center.
+author: mjcaparas
+ms.author: macapara
+ms.prod: w10
+keywords: microsoft 365 defender, conditional access, office, advanced threat protection, microsoft defender for identity, microsoft defender for office, azure security center, microsoft cloud app security, azure sentinel
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
-ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -31,39 +30,41 @@ ms.topic: conceptual
 
 Microsoft Defender for Endpoint directly integrates with various Microsoft solutions.
 
-### Azure Advanced Threat Protection (Azure ATP)
- Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. 
-
 ### Azure Security Center
 Microsoft Defender for Endpoint provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
 
+### Azure Sentinel
+The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
+
 ### Azure Information Protection
 Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
 
 ### Conditional Access
 Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. 
 
-
 ### Microsoft Cloud App Security
 Microsoft Cloud App Security leverages Microsoft Defender for Endpoint endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices.
 
-### Office 365 Advanced Threat Protection (Office 365 ATP)
-[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. 
+### Microsoft Defender for Identity
+Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
+
+### Microsoft Defender for Office
+[Defender for Office 365](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. 
 
 >[!NOTE]
-> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP.
+> Defender for Office 365 data is displayed for events within the last 30 days. For alerts, Defender for Office 365 data is displayed based on first activity time. After that, the data is no longer available in Defender for Office 365.
 
 ### Skype for Business
 The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal.
 
-## Microsoft Threat Protection
- With Microsoft Threat Protection, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. 
+## Microsoft 365 Defender
+With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. 
  
- [Learn more about Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
+[Learn more about Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
 
 
 ## Related topics
 - [Configure integration and other advanced features](advanced-features.md)
-- [Microsoft Threat Protection overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-- [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
+- [Microsoft 365 Defender overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
+- [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
 - [Protect users, data, and devices with Conditional Access](conditional-access.md)

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -40,10 +40,18 @@ For more information preview features, see [Preview features](https://docs.micro
 > https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
 > ```
 
+## December 2020
+- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.
+
 ## September 2020
 - [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Android.
 - [Threat and vulnerability management macOS support](tvm-supported-os.md)<br> Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
 
+
+## August 2020
+- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, and use Microsoft Defender for Endpoint for Android.
+
+
 ## July 2020
 - [Create indicators for certificates](manage-indicators.md) <br> Create indicators to allow or block certificates. 
 

windows/whats-new/ltsc/TOC.md

@@ -1,4 +1,4 @@
 # [Windows 10 Enterprise LTSC](index.md)
-## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
-## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
-## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md)
+## [What's new in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
+## [What's new in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
+## [What's new in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)

windows/whats-new/ltsc/index.md

@@ -22,9 +22,9 @@ ms.topic: article
 
 This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. 
 
-[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)<br>
-[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)<br>
-[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md)
+[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)<br>
+[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)<br>
+[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
 
 ## The Long Term Servicing Channel (LTSC)
 
@@ -32,9 +32,9 @@ The following table summarizes equivalent feature update versions of Windows 10
 
 | LTSC release | Equivalent SAC release | Availability date |
 | --- | --- | --- |
-| Windows 10 Enterprise 2015 LTSC  | Windows 10, Version 1507 | 7/29/2015 |
-| Windows 10 Enterprise 2016 LTSC  | Windows 10, Version 1607 | 8/2/2016 |
-| Windows 10 Enterprise 2019 LTSC  | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
+| Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
+| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/13/2018 |
 
 >[!NOTE]
 >The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.

windows/whats-new/ltsc/whats-new-windows-10-2015.md

@@ -1,10 +1,10 @@
 ---
-title: What's new in Windows 10 Enterprise 2015 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2015
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -14,15 +14,15 @@ ms.localizationpriority: low
 ms.topic: article
 ---
 
-# What's new in Windows 10 Enterprise 2015 LTSC
+# What's new in Windows 10 Enterprise LTSC 2015
 
 **Applies to**
--   Windows 10 Enterprise 2015 LTSC
+-   Windows 10 Enterprise LTSC 2015
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
+>Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
 
 ## Deployment
 

windows/whats-new/ltsc/whats-new-windows-10-2016.md

@@ -1,10 +1,10 @@
 ---
-title: What's new in Windows 10 Enterprise 2016 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2016
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -14,15 +14,15 @@ ms.localizationpriority: low
 ms.topic: article
 ---
 
-# What's new in Windows 10 Enterprise 2016 LTSC
+# What's new in Windows 10 Enterprise LTSC 2016
 
 **Applies to**
--   Windows 10 Enterprise 2016 LTSC
+-   Windows 10 Enterprise LTSC 2016
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607.
+>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
 
 ## Deployment
 
@@ -71,7 +71,7 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
 
 When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 
-Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC:
+Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
 
 - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
 - Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -1,10 +1,10 @@
 ---
-title: What's new in Windows 10 Enterprise 2019 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2019
 ms.reviewer: 
 manager: laurawi
 ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -13,15 +13,15 @@ ms.localizationpriority: low
 ms.topic: article
 ---
 
-# What's new in Windows 10 Enterprise 2019 LTSC
+# What's new in Windows 10 Enterprise LTSC 2019
 
 **Applies to**
--   Windows 10 Enterprise 2019 LTSC
+-   Windows 10 Enterprise LTSC 2019
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. 
+>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. 
 
 Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
 - Advanced protection against modern security threats 
@@ -85,7 +85,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
 
   Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus).
 
-  New features for Microsoft Defender AV in Windows 10 Enterprise 2019 LTSC include:
+  New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
 - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
 - [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
 - [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
@@ -239,7 +239,7 @@ WSC now includes the Fluent Design System elements you know and love. You’ll a
 The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
 
 A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
 
 #### Windows 10 in S mode
 
@@ -251,7 +251,7 @@ We’ve continued to work on the **Current threats** area in  [Virus & threat pr
 
 ### Windows Autopilot
 
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
 
 Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
 
@@ -265,7 +265,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
 
 ### MBR2GPT.EXE
 
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
 
 The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
 
@@ -293,7 +293,7 @@ For more information, see [DISM operating system uninstall command-line options]
 You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
 
 Prerequisites:  
-- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
+- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
 - Windows 10 Enterprise or Pro
 
 For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
@@ -332,7 +332,7 @@ SetupDiag works by searching Windows Setup log files. When searching log files,
 If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash!
 
 **To enable fast sign-in:**
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC.
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
 3. Sign-in to a shared PC with your account. You'll notice the difference!
 
@@ -428,7 +428,7 @@ The following new Group Policy and mobile device management (MDM) settings are a
 
 ### Start and taskbar layout
 
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
 
 [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
 
@@ -467,7 +467,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m
 
 ### Optimize update delivery
 
-With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
 
 >[!NOTE]
 > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
@@ -485,15 +485,15 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
 
 ### Uninstalled in-box apps no longer automatically reinstall
 
-Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
 
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC.
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
 
 ## Management
 
 ### New MDM capabilities
 
-Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
 
 Some of the other new CSPs are:
 
@@ -519,17 +519,17 @@ Multiple new configuration items are also added. For more information, see [What
 
 ### Mobile application management support for Windows 10
 
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC.
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019.
 
 For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
 
 ### MDM diagnostics
 
-In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
 
 ### Application Virtualization for Windows (App-V)
 
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
 
 For more info, see the following topics:
 - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
@@ -546,7 +546,7 @@ Learn more about the diagnostic data that's collected at the Basic level and som
 
 ### Group Policy spreadsheet
 
-Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC.
+Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
 
 - [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
 
@@ -579,9 +579,9 @@ Miracast over Infrastructure offers a number of benefits:
 
 Enabling Miracast over Infrastructure:
 
-If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 
-- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS.
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
 - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
     - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
     - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.

windows/whats-new/whats-new-windows-10-version-20H2.md

@@ -88,7 +88,7 @@ For more information about what's new in MDM, see [What's new in mobile device e
 
 ### Microsoft Defender for Endpoint
 
-This release includes improved support for non-ASCII file paths has been added for Microsoft Defender for Endpoint Auto Incident Response (IR).
+This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
 
 The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.