Merge remote-tracking branch 'origin/master' into atp-api-danm

2025-05-19 00:37:22 +00:00 · 2018-08-21 10:14:14 -07:00 · 2018-08-21 10:14:14 -07:00 · 7306d4ba67
commit 7306d4ba67
parent 991186a58f 78e212a7ef
79 changed files with 2563 additions and 597 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -5261,11 +5261,6 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md",
 "redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/windows-diagnostic-data-1709.md",
 "redirect_url": "/windows/configuration/windows-diagnostic-data",
 "redirect_document_id": true
@ -13731,6 +13726,11 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md",
 "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md",
 "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703",
 "redirect_document_id": true
--- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
+++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
@ -8,8 +8,8 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Microsofot gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
+|Disabled or not configured<br>**(default)** |0 |0 |Gather and send only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
-|Enabled |1 |1 |Microsoft gathers all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
+|Enabled |1 |1 |Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
 ---
 ### ADMX info and settings
--- a/browsers/edge/includes/allow-saving-history-include.md
+++ b/browsers/edge/includes/allow-saving-history-include.md
@ -16,7 +16,7 @@
 ### ADMX info and settings
 #### ADMX info
- **GP English name:** Allow saving history
+- **GP English name:** Allow Saving History
 - **GP name:** AllowSavingHistory
 - **GP path:** Windows Components/Microsoft Edge
 - **GP ADMX file name:** MicrosoftEdge.admx
--- a/browsers/edge/includes/configure-autofill-include.md
+++ b/browsers/edge/includes/configure-autofill-include.md
@ -1,6 +1,6 @@
 <!-- ## Configure Autofill -->
 >*Supported versions: Microsoft Edge on Windows 10*<br>
->*Default setting:  Not configured*
+>*Default setting:  Not configured (Blank)*
 [!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)]
--- a/browsers/edge/includes/configure-do-not-track-include.md
+++ b/browsers/edge/includes/configure-do-not-track-include.md
@ -9,7 +9,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Not configured<br>**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | |
-|Disabled |1 |1 |Never send tracking information. | |
+|Disabled |0 |0 |Never send tracking information. | |
 |Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) |
 ---
--- a/browsers/edge/includes/configure-home-button-include.md
+++ b/browsers/edge/includes/configure-home-button-include.md
@ -1,5 +1,5 @@
 <!-- ## Configure Home Button-->  
->*Supported versions: Microsoft Edge on Windows 10* 
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* 
 >*Default setting: Disabled or not configured (Show home button and load the Start page)*
--- a/browsers/edge/includes/configure-password-manager-include.md
+++ b/browsers/edge/includes/configure-password-manager-include.md
@ -14,9 +14,8 @@
 ---
 Verify not allowed/disabled settings:
-1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…).
+1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2. Click  **Settings** and select **View Advanced settings**.
+2. Verify the settings **Save Password** is toggled off or on and is greyed out.
 3. Verify the settings **Save Password** is toggled off or on and is greyed out.
 ### ADMX info and settings
 #### ADMX info
--- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
+++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
@ -1,6 +1,6 @@
 <!-- ## Configure search suggestions in Address bar -->
 >*Supported versions: Microsoft Edge on Windows 10*<br>
->*Default setting:  Not configured*
+>*Default setting:  Not configured (Blank)*
 [!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] 
--- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
+++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
@ -8,15 +8,14 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | |
+|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen. | |
 |Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
 |Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) |
 ---
-To verify Windows Defender SmartScreen is turned off (disabled):
+To verify Windows Defender SmartScreen is turned off (disabled): 
-1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**).
+1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2. Click **Settings** and select **View Advanced Settings**.
+2.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
 3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
 ### ADMX info and settings
--- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
+++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
@ -8,7 +8,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
+|Not configured |0 |0 |Lock down Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
 |Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
 ---
--- a/browsers/edge/includes/do-not-sync-include.md
+++ b/browsers/edge/includes/do-not-sync-include.md
@ -1,6 +1,6 @@
 <!-- ## Do not sync -->
 >*Supported versions: Microsoft Edge on Windows 10*<br>
->*Default setting:  Disabled or not configured (Turned on)*
+>*Default setting:  Disabled or not configured (Allowed/turned on)*
 [!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)]
@ -17,7 +17,7 @@
 - **GP English name:** Do not sync
 - **GP name:** AllowSyncMySettings
 - **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** MicrosoftEdge.admx
+- **GP ADMX file name:** SettingSync.admx
 #### MDM settings
 - **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings)
--- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
+++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
@ -8,8 +8,8 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing. | |
+|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing | |
-|Enabled |1 |1 |Turned on/syncing.  |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Turned on/syncing  |![Most restricted value](../images/check-gn.png) |
 ---
 ### ADMX info and settings
--- a/browsers/edge/includes/prevent-access-about-flag-include.md
+++ b/browsers/edge/includes/prevent-access-about-flag-include.md
@ -9,7 +9,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |Allowed. | |
-|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |Prevents users from accessing the about:flags page. |![Most restricted value](../images/check-gn.png) |
 ---
 ### ADMX info and settings
--- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md
+++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
@ -7,7 +7,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Overrides the security warning to sites that have SSL errors.  | |
+|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors.  | |
 |Enabled |1 |1 |Prevented/turned on.  |![Most restricted value](../images/check-gn.png) |
 ---
--- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
+++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
@ -9,7 +9,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
 |Disabled or not configured<br>**(default)** |0 |0 |Collect and send Live Tile metadata. | |
-|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) |
+|Enabled |1 |1 |No data collected. |![Most restricted value](../images/check-gn.png) |
 ---
 ### ADMX info and settings
--- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
+++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
@ -20,8 +20,8 @@ For more details about configuring the browser syncing options, see [Sync browse
 #### ADMX info
 - **GP English name:** Prevent users from turning on browser syncing
 - **GP name:** PreventUsersFromTurningOnBrowserSyncing
- **GP path:** Windows Components/Microsoft Edge
+- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** MicrosoftEdge.admx
+- **GP ADMX file name:** SettingSync.admx
 #### MDM settings
 - **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@ -12,7 +12,7 @@
 |Group Policy  |Description |Most restricted |
 |---|---|:---:|
 |Disabled or not configured<br>**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
-|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.  Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) | 
+|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.  Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) | 
 ---
 ### ADMX info and settings
--- a/browsers/edge/includes/set-default-search-engine-include.md
+++ b/browsers/edge/includes/set-default-search-engine-include.md
@ -8,7 +8,7 @@
 |Group Policy  |MDM |Registry |Description |Most restricted |
 |---|:---:|:---:|---|:---:|
-|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | |
+|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../available-policies.md#allow-search-engine-customization) policy, users cannot make changes. | |
 |Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | |
 |Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.<p><p>If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) |
 ---
--- a/browsers/edge/includes/unlock-home-button-include.md
+++ b/browsers/edge/includes/unlock-home-button-include.md
@ -8,7 +8,7 @@
 |Group Policy  |MDM |Registry |Description |
 |---|:---:|:---:|---|
-|Disabled or not configured<br>**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. | 
+|Disabled or not configured<br>**(default)** |0 |0 |Lock down and prevent users from making changes to the home button settings. | 
 |Enabled |1 |1 |Let users make changes. | 
 ---
--- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
@ -1 +1 @@
-Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites. 
+Discontinued in Windows 10, version 1810.  Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. 
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@ -23,15 +23,11 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
 - A valid MSA alias (to access the app from the Store) 
 ## What's new
-v1.2018.808.0
+v1.2018.820.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
+- Command Line Support
- Fixed an issue where signing in with password protected certificates would fail in the tool.
+- Ability to use existing local virtual machines for packaging environment.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
+- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
+- Minor updates to the UI for added clarity.
 - Minor UI tweaks to add clarity.
 - Minor updates to the logs for added clarity.
 ## Installing the MSIX Packaging Tool
@ -45,11 +41,139 @@ This is an early preview build and not all features are supported. Here is what
 - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
 - Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. 
 ## Creating an application package using the Command line interface
 To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. 
 Here are the parameters that can be passed as command line arguments:
 |Parameter   |Description  |
 |---------|---------|
 |-? <br> --help     |   Show help information      |
 |--virtualMachinePassword     |    [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true.     |
 Examples:
 - MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
 - MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml  --virtualMachinePassword 
 ## Conversion template file
 ```xml
      <MsixPackagingToolTemplate
       xmlns="http://schemas.microsoft.com/appx/msixpackagingtool/template/2018">
       <Settings
           AllowTelemetry="true"
           ApplyAllPrepareComputerFixes="true"
           GenerateCommandLineFile="true"
           AllowPromptForPassword="false" >
           <ExclusionItems>
               <FileExclusion ExcludePath="[{Cookies}]" />
               <FileExclusion ExcludePath="[{History}]" />
               <FileExclusion ExcludePath="[{Cache}]" />
               <FileExclusion ExcludePath="[{Personal}]" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
               <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />            
           </ExclusionItems>
       </Settings>
       <PrepareComputer
           DisableDefragService="true"
           DisableWindowsSearchService="true"
           DisableSmsHostService="true"
           DisableWindowsUpdateService ="true"/>
       <!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
       <SaveLocation Path="C:\users\user\Desktop" />
       <Installer
           Path="C:\MyAppInstaller.msi"
           Arguments="/quiet"
           InstallLocation="C:\Program Files\MyAppInstallationLocation" />
       <VirtualMachine Name="vmname" Username="myusername" />
       <PackageInformation
           PackageName="MyAppPackageNAme"
           PackageDisplayName="MyApp Display Name"
           PublisherName="CN=MyPublisher"
           PublisherDisplayName="MyPublisher Display Name"
           Version="1.1.0.0"
           MainPackageNameForModificationPackage="MainPackageIdentityName">
           <Applications>
               <Application
                   Id="App1"
                   Description="MyApp"
                   DisplayName="My App"
                   ExecutableName="MyApp.exe"/>
           <!-- You can specify multiple application parameters for different executables in your package -->
           </Applications>
           <Capabilities>
           </Capabilities>
       </PackageInformation>
   </MsixPackagingToolTemplate>
 ```
 ## Conversion template parameter reference
 Here is the complete list of parameters that you can use in the Conversion template file.
 |ConversionSettings entries  |Description  |
 |---------|---------|
 |Settings:: AllowTelemetry     |[optional] Enables telemetry logging for this invocation of the tool.       |
 |Settings:: ApplyAllPrepareComputerFixes     |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used.         |
 |Settings:: GenerateCommandLineFile     |[optional] Copies the template file input to the SaveLocation directory for future use.         |
 |Settings:: AllowPromptForPassword     |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified.         |
 |ExclusionItems     |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements.         |
 |ExclusionItems::FileExclusion     |[optional] A file to exclude for packaging.         |
 |ExclusionItems::FileExclusion::ExcludePath     |Path to file to exclude for packaging.         |
 |ExclusionItems::RegistryExclusion     |[optional] A registry key to exclude for packaging.          |
 |ExclusionItems::RegistryExclusion:: ExcludePath     |Path to registry to exclude for packaging.         |
 |PrepareComputer::DisableDefragService     |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsSearchService     |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableSmsHostService     |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |PrepareComputer:: DisableWindowsUpdateService     |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes.         |
 |SaveLocation     |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder.         |
 |SaveLocation::Path     |The path to the folder where the resulting MSIX package is saved.         |
 |Installer::Path     |The path to the application installer.         |
 |Installer::Arguments     |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently.         |
 |Installer::InstallLocation     |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation").         |
 |VirtualMachine     |[optional] An element to specify that the conversion will be run on a local Virtual Machine.         |
 |VrtualMachine::Name     |The name of the Virtual Machine to be used for the conversion environment.         |
 |VirtualMachine::Username     |[optional] The user name for the Virtual Machine to be used for the conversion environment.         |
 |PackageInformation::PackageName     |The Package Name for your MSIX package.         |
 |PackageInformation::PackageDisplayName     |The Package Display Name for your MSIX package.         |
 |PackageInformation::PublisherName     |The Publisher for your MSIX package.         |
 |PackageInformation::PublisherDisplayName     |The Publisher Display Name for your MSIX package.         |
 |PackageInformation::Version     |The version number for your MSIX package.         |
 |PackageInformation:: MainPackageNameForModificationPackage     |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application.         |
 |Applications     |[optional] 0 or more Application elements to configure the Application entries in your MSIX package.         |
 |Application::Id     |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package         |
 |Application::ExecutableName     |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected.         |
 |Application::Description     |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName         |
 |Application::DisplayName     |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName         |
 |Capabilities     |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion.         |
 |Capability::Name     |The capability to add to your MSIX package.          |
 ## Delete temporary conversion files using Command line interface
 To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window.
 Example:
 - MsixPackagingTool.exe cleanup 
 ## Unsupported features
 Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: 
 - Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). 
 - Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. 
 - Command Line Interface support  
 - Conversion of App-V 4.x packages 
 ## How to file feedback
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/27/2018
+ms.date: 08/17/2018
 ---
 # Configuration service provider reference
@ -22,7 +22,6 @@ Additional lists:
 - [List of CSPs supported in Windows Holographic](#hololens)
 - [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport)
 - [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport)
 - [List of CSPs supported in Windows 10 S](#windows10s)
 The following tables show the configuration service providers support in Windows 10.  
 Footnotes: 
@ -2752,59 +2751,4 @@ The following list shows the configuration service providers supported in Window
 - [VPNv2 CSP](vpnv2-csp.md)
 - [WiFi CSP](wifi-csp.md)
 ## <a href="" id="windows10s"></a>CSPs supported in Windows 10 S
 The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list:
 - [ActiveSync CSP](activesync-csp.md)
 - [APPLICATION CSP](application-csp.md)
 - [AppLocker CSP](applocker-csp.md)
 - [AssignedAccess CSP](assignedaccess-csp.md)
 - [BOOTSTRAP CSP](bootstrap-csp.md)
 - [CellularSettings CSP](cellularsettings-csp.md)
 - [CertificateStore CSP](certificatestore-csp.md)
 - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
 - [CMPolicy CSP](cmpolicy-csp.md)
 - [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
 - [CM_CellularEntries CSP](cm-cellularentries-csp.md)
 - [Defender CSP](defender-csp.md)
 - [DevDetail CSP](devdetail-csp.md)
 - [DeviceManageability CSP](devicemanageability-csp.md)
 - [DeviceStatus CSP](devicestatus-csp.md)
 - [DevInfo CSP](devinfo-csp.md)
 - [DiagnosticLog CSP](diagnosticlog-csp.md)
 - [DMAcc CSP](dmacc-csp.md)
 - [DMClient CSP](dmclient-csp.md)
 - [eUICCs CSP](euiccs-csp.md)
 - [Firewall CSP](firewall-csp.md)
 - [EMAIL2 CSP](email2-csp.md)
 - [EnterpriseAPN CSP](enterpriseapn-csp.md)
 - [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
 - [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
 - [HealthAttestation CSP](healthattestation-csp.md)
 - [NAP CSP](nap-csp.md)
 - [NAPDEF CSP](napdef-csp.md)
 - [NetworkProxy CSP](networkproxy-csp.md)
 - [NodeCache CSP](nodecache-csp.md)
 - [PassportForWork CSP](passportforwork-csp.md)
 - [Policy CSP](policy-configuration-service-provider.md)
 - [Provisioning CSP](provisioning-csp.md)
 - [PROXY CSP](proxy-csp.md)
 - [PXLOGICAL CSP](pxlogical-csp.md)
 - [Reboot CSP](reboot-csp.md)
 - [RemoteFind CSP](remotefind-csp.md)
 - [RemoteWipe CSP](remotewipe-csp.md)
 - [Reporting CSP](reporting-csp.md)
 - [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
 - [SecureAssessment CSP](secureassessment-csp.md)
 - [SecurityPolicy CSP](securitypolicy-csp.md)
 - [SharedPC CSP](sharedpc-csp.md)
 - [Storage CSP](storage-csp.md)
 - [SUPL CSP](supl-csp.md)
 - [Update CSP](update-csp.md)
 - [VPNv2 CSP](vpnv2-csp.md)
 - [WiFi CSP](wifi-csp.md)
 - [Win32AppInventory CSP](win32appinventory-csp.md)
 - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
 - [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
 - [WindowsLicensing CSP](windowslicensing-csp.md)
--- a/windows/client-management/mdm/images/provisioning-csp-office.png
+++ b/windows/client-management/mdm/images/provisioning-csp-office.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1201,6 +1201,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Search/AllowCortanaInAAD</li>
 <li>Search/DoNotUseWebResults</li>
 <li>Security/ConfigureWindowsPasswords</li>
 <li>Start/DisableContextMenus</li>
 <li>System/FeedbackHubAlwaysSaveDiagnosticsLocally</li>
 <li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode</li>
 <li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode</li>
@ -1414,6 +1415,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Experience/DoNotSyncBrowserSettings</li>
 <li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
 <li>Privacy/AllowCrossDeviceClipboard</li>
 <li>Privacy/DisablePrivacyExperience</li>
 <li>Privacy/UploadUserActivities</li>
 <li>Security/RecoveryEnvironmentAuthentication</li>
 <li>TaskManager/AllowEndTask</li>
@ -1469,6 +1471,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[TenantLockdown CSP](\tenantlockdown--csp.md)</td>
 <td style="vertical-align:top"><p>Added new CSP in Windows 10, next major version.</p>
 </td></tr>
@ -1757,6 +1763,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </thead>
 <tbody>
 <tr>
 <td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[TenantLockdown CSP](\tenantlockdown--csp.md)</td>
 <td style="vertical-align:top"><p>Added new CSP in Windows 10, next major version.</p>
 </td></tr>
@ -1792,9 +1802,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Experience/DoNotSyncBrowserSettings</li>
 <li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
 <li>Privacy/AllowCrossDeviceClipboard</li>
 <li>Privacy/DisablePrivacyExperience</li>
 <li>Privacy/UploadUserActivities</li>
 <li>Update/UpdateNotificationLevel</li>
 </ul>
 <p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>
 </td></tr>
 </tbody>
 </table>
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@ -6,13 +6,16 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 04/25/2018
+ms.date: 08/15/2018
 ---
 # Office CSP
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). 
 This CSP was added in Windows 10, version 1703.
 For additional information, see [Office DDF](office-ddf.md).
@ -21,39 +24,44 @@ The following diagram shows the Office configuration service provider in tree fo
 ![Office CSP diagram](images/provisioning-csp-office.png)
-<a href="" id="office"></a>**Office**
+<a href="" id="office"></a>**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**  
-
+The root node for the Office configuration service provider.</p>
 <p style="margin-left: 20px">The root node for the Office configuration service provider.</p>
 <a href="" id="installation"></a>**Installation**  
 Specifies the options for the Microsoft Office installation.
-<p style="margin-left: 20px">Specifies the options for the Microsoft Office installation.
+The supported operations are Add, Delete, Get, and Replace.
-<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
+<a href="" id="id"></a>**Installation/_id_**  
 Specifies a unique identifier that represents the ID of the Microsoft Office product to install. 
-<a href="" id="id"></a>**id**  
+The supported operations are Add, Delete, Get, and Replace.
-<p style="margin-left: 20px">Specifies a unique identifier that represents the ID of the Microsoft Office product to install. 
+<a href="" id="install"></a>**Installation/_id_/Install**  
 Installs Office by using the XML data specified in the configuration.xml file. 
-<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
+The supported operations are Get and Execute.
-<a href="" id="install"></a>**Install**  
+<a href="" id="status"></a>**Installation/_id_/Status**  
 The Microsoft Office installation status. 
-<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file. 
+The only supported operation is Get.
-<p style="margin-left: 20px">The supported operations are Get and Execute.
+<a href="" id="finalstatus"></a>**Installation/_id_/FinalStatus**  
 Added in Windows 10, next major version. Indicates the status of the Final Office 365 installation.
-<a href="" id="status"></a>**Status**  
+The only supported operation is Get.
-<p style="margin-left: 20px">The Microsoft Office installation status. 
+Behavior:  
 -  When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
 -  When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:  
    - When status = 0: 70 (succeeded)
    - When status != 0: 60 (failed)
-<p style="margin-left: 20px">The only supported operation is Get.
+<a href="" id="currentstatus"></a>**Installation/CurrentStatus**  
 Returns an XML of current Office 365 installation status on the device.
-<a href="" id="currentstatus"></a>**CurrentStatus** 
+The only supported operation is Get.
 <p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
 <p style="margin-left: 20px">The only supported operation is Get.
 ## Examples
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@ -7,17 +7,19 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 12/05/2017
+ms.date: 08/15/2018
 ---
 # Office DDF
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, next major version.
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@ -33,7 +35,7 @@ The XML below is for Windows 10, version 1709.
          <AccessType>
            <Get />
          </AccessType>
-          <Description>Root of the Office CSP.</Description>
+          <Description>Root of the office CSP.</Description>
          <DFFormat>
            <node />
          </DFFormat>
@ -44,7 +46,7 @@ The XML below is for Windows 10, version 1709.
            <Permanent />
          </Scope>
          <DFType>
-            <MIME>com.microsoft/1.3/MDM/Office</MIME>
+            <MIME>com.microsoft/1.5/MDM/Office</MIME>
          </DFType>
        </DFProperties>
        <Node>
@ -53,7 +55,7 @@ The XML below is for Windows 10, version 1709.
            <AccessType>
              <Get />
            </AccessType>
-            <Description>Installation options for the Office CSP.</Description>
+            <Description>Installation options for the office CSP.</Description>
            <DFFormat>
              <node />
            </DFFormat>
@ -98,7 +100,7 @@ The XML below is for Windows 10, version 1709.
                  <Exec />
                  <Get />
                </AccessType>
-                <Description>The install action will install Office given the configuration in the data.  The string data is the xml configuration to use in order to install Office.</Description>
+                <Description>The install action will install office given the configuration in the data.  The string data is the xml configuration to use in order to install office.</Description>
                <DFFormat>
                  <chr />
                </DFFormat>
@ -134,6 +136,27 @@ The XML below is for Windows 10, version 1709.
                </DFType>
              </DFProperties>
            </Node>
            <Node>
              <NodeName>FinalStatus</NodeName>
              <DFProperties>
                <AccessType>
                  <Get />
                </AccessType>
                <Description>Final Office 365 installation status.</Description>
                <DFFormat>
                  <int />
                </DFFormat>
                <Occurrence>
                  <One />
                </Occurrence>
                <Scope>
                  <Dynamic />
                </Scope>
                <DFType>
                  <MIME>text/plain</MIME>
                </DFType>
              </DFProperties>
            </Node>
          </Node>
          <Node>
            <NodeName>CurrentStatus</NodeName>
@ -175,7 +198,7 @@ The XML below is for Windows 10, version 1709.
            <Permanent />
          </Scope>
          <DFType>
-            <MIME>com.microsoft/1.3/MDM/Office</MIME>
+            <MIME>com.microsoft/1.5/MDM/Office</MIME>
          </DFType>
        </DFProperties>
        <Node>
@ -261,6 +284,27 @@ The XML below is for Windows 10, version 1709.
                </DFType>
              </DFProperties>
            </Node>
            <Node>
              <NodeName>FinalStatus</NodeName>
              <DFProperties>
                <AccessType>
                  <Get />
                </AccessType>
                <Description>Final Office 365 installation status.</Description>
                <DFFormat>
                  <int />
                </DFFormat>
                <Occurrence>
                  <One />
                </Occurrence>
                <Scope>
                  <Dynamic />
                </Scope>
                <DFType>
                  <MIME>text/plain</MIME>
                </DFType>
              </DFProperties>
            </Node>
          </Node>
          <Node>
            <NodeName>CurrentStatus</NodeName>
@ -287,13 +331,3 @@ The XML below is for Windows 10, version 1709.
      </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/14/2018
+ms.date: 08/17/2018
 ---
 # Policy CSP
@ -131,8 +131,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add and Get. Does not support Delete.
 > [!Note]  
 > The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults.  The ApplicationDefaults policies are not supported in Windows 10 S.
 ## Policies
@ -2062,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
  </dd>
  <dd>
    <a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
  </dd>
 </dl>
 ### KioskBrowser policies
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -425,7 +425,16 @@ Most restricted value: 0
 [!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)]
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 - GP English name: *Allow configuration updates for the Books Library*
 - GP name: *AllowConfigurationUpdateForBooksLibrary*
 - GP path: *Windows Components/Microsoft Edge*
 - GP ADMX file name: *MicrosoftEdge.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
@ -476,9 +485,6 @@ Supported values:
 <!--Description-->
 [!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)]
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@ -504,7 +510,7 @@ To verify AllowCookies is set to 0 (not allowed):
 1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
 2.  In the upper-right corner of the browser, click **…**.
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Cookies** is greyed out.
+4.  Verify the setting **Cookies** is disabled.
 <!--/Validation-->
 <!--/Policy-->
@ -697,8 +703,8 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-   0 – Prevented/not allowed.
+-   0 – Prevented/not allowed
-   1 (default) – Allowed.
+-   1 (default) – Allowed
 <!--/SupportedValues-->
 <!--/Policy-->
@ -758,8 +764,8 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-   0 – Prevented/not allowed.
+-   0 – Prevented/not allowed
-   1 (default) – Allowed.
+-   1 (default) – Allowed
 <!--/SupportedValues-->
 <!--/Policy-->
@ -803,7 +809,7 @@ Supported values:
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703*  
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*  
 [!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)]
@ -821,9 +827,10 @@ ADMX Info:
 Supported values:
 -   0 – Load and run Adobe Flash content automatically.
-   1 (default) – Do not load or run Adobe Flash content automatically. Requires user action.
+-   1 (default) – Does not load or run Adobe Flash content automatically. Requires action from the user.
 Most restricted value: 1
 <!--/SupportedValues-->
 <!--/Policy-->
@ -882,10 +889,12 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 - 0 - Prevented/not allowed
 - 1 (default) - Allowed
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--Example-->
@ -936,8 +945,6 @@ Most restricted value: 0
 <!--Description-->
 [!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)]
 Most restricted value:  0
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@ -953,6 +960,8 @@ Supported values:
 -   0 – Prevented/not allowed
 -   1 (default) – Allowed
 Most restricted value:  0
 <!--/SupportedValues-->
 <!--/Policy-->
@ -995,12 +1004,11 @@ Supported values:
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)]
 Most restricted value:  0
 <!--/Description-->
 <!--ADMXMapped-->
@ -1017,6 +1025,8 @@ Supported values:
 -   0 – Prevented/not allowed
 -   1 (default) – Allowed
 Most restricted value:  0
 <!--/SupportedValues-->
 <!--/Policy-->
@ -1074,7 +1084,7 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- Blank - Users can shoose to save and manage passwords locally.
+- Blank - Users can choose to save and manage passwords locally.
 - 0 – Not allowed.
 - 1 (default) – Allowed.
@ -1084,10 +1094,8 @@ Most restricted value: 0
 <!--Validation-->
 To verify AllowPasswordManager is set to 0 (not allowed):
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2.  In the upper-right corner of the browser, click **…**.
+2. Verify the settings **Save Password** is disabled.
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
 <!--/Validation-->
 <!--/Policy-->
@ -1151,14 +1159,13 @@ Supported values:
 - 1 – Turn on Pop-up Blocker stopping pop-up windows from opening.
 Most restricted value: 1
 <!--/SupportedValues-->
 <!--Validation-->
 To verify AllowPopups is set to 0 (not allowed):
-1.  Open Microsoft Edge.
+1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2.  In the upper-right corner of the browser, click **…**.
+2.  Verify the setting **Block pop-ups** is disabled.
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Block pop-ups** is greyed out.
 <!--/Validation-->
 <!--/Policy-->
@ -1219,10 +1226,12 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 - 0 - Prevented/not allowed
 - 1 (default) - Allowed
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--Example-->
@ -1287,10 +1296,12 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 - 0 - Prevented/not allowed
 - 1 (default) - Allowed
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--Example-->
@ -1355,10 +1366,12 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 - 0 - Prevented/not allowed
 - 1 (default) - Allowed
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--Example-->
@ -1408,7 +1421,7 @@ Most restricted value: 0
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)]
@ -1493,6 +1506,7 @@ Supported values:
 - 1 – Allowed. Show the search suggestions.
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--/Policy-->
@ -1543,7 +1557,7 @@ Most restricted value: 0
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: *Allow Sideloading of extension*
+-   GP English name: *Allow sideloading of Extensions*
 -   GP name: *AllowSideloadingOfExtensions*
 -   GP path: *Windows Components/Microsoft Edge*
 -   GP ADMX file name: *MicrosoftEdge.admx*
@ -1552,10 +1566,11 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
+- 0 - Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
 - 1 (default) - Allowed.
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--Example-->
@ -1618,19 +1633,18 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- Blank - Users can choose to use Windows Defender SmartScreen or not.
+- Blank - Users can choose to use Windows Defender SmartScreen.
 - 0 – Turned off. Do not protect users from potential threats and prevent users from turning it on.
 - 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off.
 Most restricted value: 1
 <!--/SupportedValues-->
 <!--Validation-->
 To verify AllowSmartScreen is set to 0 (not allowed):
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
-2.  In the upper-right corner of the browser, click **…**.
+2.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
 <!--/Validation-->
 <!--/Policy-->
@ -1691,8 +1705,8 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- 0 (default) - Allowed. Preload Start and New tab pages.
+- 0 - Prevented/not allowed.
- 1 - Prevented/not allowed.
+- 1 (default) - Allowed. Preload Start and New tab pages.
 Most restricted value: 1
 <!--/SupportedValues-->
@ -1747,6 +1761,7 @@ Most restricted value: 1
 [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@ -1832,6 +1847,7 @@ Supported values:
 -   1 - Show the Books Library, regardless of the device’s country or region.
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--/Policy-->
@ -1874,7 +1890,7 @@ Most restricted value: 0
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)]
@ -1894,6 +1910,7 @@ Supported values:
 -   1 – Allowed. Clear the browsing data upon exit automatically.
 Most restricted value: 1
 <!--/SupportedValues-->
 <!--Validation-->
 To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): 
@ -1945,12 +1962,12 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)]
 > [!IMPORTANT]
-> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. 
+> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled. 
 <!--/Description-->
@ -2106,7 +2123,7 @@ Supported values:
 - 3 - Hide home button.
 >[!TIP]
->If you want to make changes to this policy:<ol><li>Set the **Unlock Home Button** policy to 1 (enabled).</li><li>Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.</li><li>Set the **Unlock Home Button** policy to 0 (disabled).</li></ol>
+>If you want to make changes to this policy:<ol><li>Set **UnlockHomeButton** to 1 (enabled).</li><li>Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.</li><li>Set **UnlockHomeButton** 0 (disabled).</li></ol>
 <!--/SupportedValues-->
@ -2179,13 +2196,14 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-**0 (Default or not configured)**:
+**0 (Default or not configured)**: 
 - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays.
 - If it’s one of many apps, Microsoft Edge runs as normal.
-**1**:
+**1**: 
 - •	If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
 - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
 <!--/SupportedValues-->
 <!--Example-->
@ -2239,7 +2257,7 @@ Supported values:
 [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
-You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
 <!--/Description-->
 <!--ADMXMapped-->
@ -2253,9 +2271,11 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 -   **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
 -   **0** – No idle timer.
 <!--/SupportedValues-->
 <!--Example-->
@ -2313,8 +2333,8 @@ Supported values:
 If you don't want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non domain-joined devices when it's the only configured URL.
-**Version 1810**:<br>
+**Next major version**:<br>
-When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages.
 <!--/Description-->
 <!--ADMXMapped-->
@ -2329,14 +2349,14 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page.
+- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page.
 - 0 - Load the Start page.
 - 1 - Load the New tab page.
 - 2 - Load the previous pages.
 - 3 (default) - Load a specific page or pages.
 >[!TIP]
->If you want to make changes to this policy:<ol><li>Set the Disabled Lockdown of Start Pages policy to 0 (not configured).</li><li>Make changes to the Configure Open Microsoft With policy.</li><li>Set the Disabled Lockdown of Start Pages policy to 1 (enabled).</li></ol>
+>If you want to make changes to this policy:<ol><li>Set DisableLockdownOfStartPages to 0 (not configured).</li><li>Make changes to ConfigureOpenEdgeWith.</li><li>Set DisableLockdownOfStartPages to 1 (enabled).</li></ol>
 <!--/SupportedValues-->
@ -2459,7 +2479,7 @@ Most restricted value: 0
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703*  
+>*Supported versions: Microsoft Edge on Windows 10*  
 [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
@ -2483,8 +2503,8 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- 0 – Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy. 
+- 0 – Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy.
- 1 (default) – Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy.
+- 1 (default) – Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy.
 Most restricted value: 0
 <!--/SupportedValues-->
@ -2544,8 +2564,8 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-   0 (default) - Gather and send only basic diagnotic data, depending on the device configuration.
+-   0 (default) - Gather and send only basic diagnostic data, depending on the device configuration.
-   1 - Gather both basic and additional data, such as usage data.
+-   1 - Gather all diagnostic data.
 Most restricted value: 0
 <!--/SupportedValues-->
@ -2598,7 +2618,6 @@ Most restricted value: 0
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
@ -2613,7 +2632,8 @@ ADMX Info:
 Supported values:
 -   0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps.
-   Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
+-   Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.<p>For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
 <!--/SupportedValues-->
 <!--/Policy-->
@ -2658,7 +2678,7 @@ Supported values:
 <!--/Scope-->
 <!--Description-->
 > [!IMPORTANT]
-> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
+> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
 <!--/Description-->
 <!--/Policy-->
@ -2707,8 +2727,6 @@ Supported values:
 Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com.
 Data type = String
 <!--/Description-->
 <!--/Policy-->
@ -2892,7 +2910,7 @@ Most restricted value: 1
 <!--/Scope-->
 <!--Description-->
-[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)]
+[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)]
 <!--/Description-->
 <!--ADMXMapped-->
@ -2907,7 +2925,7 @@ ADMX Info:
 Supported values:
 -   0 (default) – Allowed.
-   1 – Prevented/not allowed. Users cannot access the about:flags page.
+-   1 – Prevents users from accessing the about:flags page.
 Most restricted value: 1
 <!--/SupportedValues-->
@ -3036,7 +3054,7 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-   0 (default) – Allowed. Microsoft Edge loads the First Run webpage. 
+-   0 (default) – Allowed. Load the First Run webpage. 
 -   1 – Prevented/not allowed.
 Most restricted value: 1
@ -3082,7 +3100,7 @@ Most restricted value: 1
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
@ -3098,7 +3116,7 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
-   0 (default) – Collect and send Live Tile metadata to Microsoft.
+-   0 (default) – Collect and send Live Tile metadata.
 -   1 – No data collected.
 Most restricted value: 1
@ -3395,9 +3413,9 @@ Most restricted value: 1
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1709* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* 
-[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
+[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)]
 Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
@ -3405,14 +3423,14 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F
 To define a default list of favorites:
 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
 2. Click **Import from another browser**, click **Export to file** and save the file.
-3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"="http://localhost:8080/URLs.html"</li><li>Local network: "SiteList"="\\network\\shares\\URLs.html"</li><li>Local file: "SiteList"="file:///c:\\Users\\<user\>\\Documents\\URLs.html"</li></ul>
+3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul>
-> [!Important]  
+>[!IMPORTANT]
-> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
+>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
 Data type = string
 <!--/Description-->
 <!--ADMXMapped-->
@ -3424,6 +3442,7 @@ ADMX Info:
 -   GP ADMX file name: *MicrosoftEdge.admx*
 <!--/ADMXMapped-->
 <!--/Policy-->
 <hr/>
@ -3485,9 +3504,10 @@ ADMX Info:
 Supported values:
 - 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically.
- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
+- 1 - Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<br><br>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.<p></li><li>Refresh the policy and then view the affected sites in Microsoft Edge.<p><p>A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol>
 Most restricted value: 0
 <!--/SupportedValues-->
 <!--/Policy-->
@ -3553,7 +3573,7 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes.
+- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](https://review.docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser?branch=microsoft-edge-preview#browser-allowsearchenginecustomization) policy, users cannot make changes.
 - 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
 - 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.<p><p>If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
@ -3802,7 +3822,7 @@ Most restricted value: 0
 <!--/Scope-->
 <!--Description-->
->*Supported versions: Microsoft Edge on Windows 10, version 1703* 
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* 
 [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
@ -3894,7 +3914,7 @@ ADMX Info:
 <!--SupportedValues-->
 Supported values:
- 0 (default) - Lock down the home button to prevent users from making changes to the settings.
+- 0 (default) - Lock down and prevent users from making changes to the settings.
 - 1 - Let users make changes.
 <!--/SupportedValues-->
@ -3961,7 +3981,7 @@ ADMX Info:
 Supported values:
 -   0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. 
-   1 - Allowed. Microsoft Edge downloads book files into a shared folder.
+-   1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy.  Also, the users must be signed in with a school or work account.
 Most restricted value: 0
 <!--/SupportedValues-->
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -1454,7 +1454,25 @@ Supported values:
 -  0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes.
 -  2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
-Value type: integer 
+
 _**Sync the browser settings automatically**_ 
   Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
 _**Prevent syncing of browser settings and prevent users from turning it on**_ 
 1.	Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
 2.	Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
 _**Prevent syncing of browser settings and let users turn on syncing**_
 1.	Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
 2.	Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
 _**Turn syncing off by default but don’t disable**_
   Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option.
 <!--/SupportedValues-->
 <!--Example-->
@ -1508,21 +1526,11 @@ Related policy:
   [DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
 If you want to prevent syncing of browser settings and prevent users from turning it on:  
 1. Set DoNotSyncBrowserSettings to 2 (enabled).
 1. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
 If you want to prevent syncing of browser settings but give users a choice to turn on syncing:  
 1. Set DoNotSyncBrowserSettings to 2 (enabled).
 2. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
-   GP English name: *Do not sync browser settings*
+-   GP English name: *Prevent users from turning on browser syncing*
-   GP name: *DisableWebBrowserSettingSync*
+-   GP name: *PreventUsersFromTurningOnBrowserSyncing*
 -   GP element: *CheckBox_UserOverride*
 -   GP path: *Windows Components/Sync your settings*
 -   GP ADMX file name: *SettingSync.admx*
@ -1533,17 +1541,30 @@ Supported values:
 -  0 - Allowed/turned on. Users can sync the browser settings.
 -  1 (default) - Prevented/turned off.
-Value type is integer. 
+
 _**Sync the browser settings automatically**_ 
   Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
 _**Prevent syncing of browser settings and prevent users from turning it on**_ 
 1.	Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
 2.	Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
 _**Prevent syncing of browser settings and let users turn on syncing**_
 1.	Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
 2.	Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
-**Validation procedure:**  
+Validation procedure: 
 Microsoft Edge on your PC:
 1. Select **More > Settings**.
-1. See if the setting is enabled or disabled based on your setting.
+1. See if the setting is enabled or disabled based on your selection.
 <!--/Validation-->
 <!--/Policy-->
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -1,366 +1,426 @@
---
+---
-title: Policy CSP - Kerberos
+title: Policy CSP - Kerberos
-description: Policy CSP - Kerberos
+description: Policy CSP - Kerberos
-ms.author: maricia
+ms.author: maricia
-ms.topic: article
+ms.topic: article
-ms.prod: w10
+ms.prod: w10
-ms.technology: windows
+ms.technology: windows
-author: MariciaAlforque
+author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 08/08/2018
---
+---
-
+
-# Policy CSP - Kerberos
+# Policy CSP - Kerberos
-
+
-
+> [!WARNING]
-
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-<hr/>
+
-
+
-<!--Policies-->
+<hr/>
-## Kerberos policies  
+
-
+<!--Policies-->
-<dl>
+## Kerberos policies  
-  <dd>
+
-    <a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
+<dl>
-  </dd>
+  <dd>
-  <dd>
+    <a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
-    <a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
+  </dd>
-  </dd>
+  <dd>
-  <dd>
+    <a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
-    <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
+  </dd>
-  </dd>
+  <dd>
-  <dd>
+    <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
-    <a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
+  </dd>
-  </dd>
+  <dd>
-  <dd>
+    <a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
-    <a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
+  </dd>
-  </dd>
+  <dd>
-</dl>
+    <a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
-
+  </dd>
-
+  <dd>
-<hr/>
+    <a href="#kerberos-upnnamehints">Kerberos/UPNNameHints</a>
-
+  </dd>
-<!--Policy-->
+</dl>
-<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**  
+
-
+
-<!--SupportedSKUs-->
+<hr/>
-<table>
+
-<tr>
+<!--Policy-->
-	<th>Home</th>
+<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**  
-	<th>Pro</th>
+
-	<th>Business</th>
+<!--SupportedSKUs-->
-	<th>Enterprise</th>
+<table>
-	<th>Education</th>
+<tr>
-	<th>Mobile</th>
+	<th>Home</th>
-	<th>Mobile Enterprise</th>
+	<th>Pro</th>
-</tr>
+	<th>Business</th>
-<tr>
+	<th>Enterprise</th>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<th>Education</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile Enterprise</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</table>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-<!--/SupportedSKUs-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-<!--Scope-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+</tr>
-
+</table>
-> [!div class = "checklist"]
+
-> * Device
+<!--/SupportedSKUs-->
-
+<!--Scope-->
-<hr/>
+[Scope](./policy-configuration-service-provider.md#policy-scope):
-
+
-<!--/Scope-->
+> [!div class = "checklist"]
-<!--Description-->
+> * Device
-This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+
-
+<hr/>
-If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
+
-
+<!--/Scope-->
-If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+<!--Description-->
-
+This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
-<!--/Description-->
+
-> [!TIP]
+If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
-
+If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
-
+<!--/Description-->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> [!TIP]
-
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-<!--ADMXBacked-->
+
-ADMX Info:  
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-   GP English name: *Use forest search order*
+
-   GP name: *ForestSearch*
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-   GP path: *System/Kerberos*
+
-   GP ADMX file name: *Kerberos.admx*
+<!--ADMXBacked-->
-
+ADMX Info:  
-<!--/ADMXBacked-->
+-   GP English name: *Use forest search order*
-<!--/Policy-->
+-   GP name: *ForestSearch*
-
+-   GP path: *System/Kerberos*
-<hr/>
+-   GP ADMX file name: *Kerberos.admx*
-
+
-<!--Policy-->
+<!--/ADMXBacked-->
-<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**  
+<!--/Policy-->
-
+
-<!--SupportedSKUs-->
+<hr/>
-<table>
+
-<tr>
+<!--Policy-->
-	<th>Home</th>
+<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**  
-	<th>Pro</th>
+
-	<th>Business</th>
+<!--SupportedSKUs-->
-	<th>Enterprise</th>
+<table>
-	<th>Education</th>
+<tr>
-	<th>Mobile</th>
+	<th>Home</th>
-	<th>Mobile Enterprise</th>
+	<th>Pro</th>
-</tr>
+	<th>Business</th>
-<tr>
+	<th>Enterprise</th>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<th>Education</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile Enterprise</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</table>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-<!--/SupportedSKUs-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-<!--Scope-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+</tr>
-
+</table>
-> [!div class = "checklist"]
+
-> * Device
+<!--/SupportedSKUs-->
-
+<!--Scope-->
-<hr/>
+[Scope](./policy-configuration-service-provider.md#policy-scope):
-
+
-<!--/Scope-->
+> [!div class = "checklist"]
-<!--Description-->
+> * Device
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. 
+
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+<hr/>
-
+
-If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+<!--/Scope-->
-
+<!--Description-->
-<!--/Description-->
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. 
-> [!TIP]
+If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
-
+If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
-
+<!--/Description-->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> [!TIP]
-
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-<!--ADMXBacked-->
+
-ADMX Info:  
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-   GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
+
-   GP name: *EnableCbacAndArmor*
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-   GP path: *System/Kerberos*
+
-   GP ADMX file name: *Kerberos.admx*
+<!--ADMXBacked-->
-
+ADMX Info:  
-<!--/ADMXBacked-->
+-   GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
-<!--/Policy-->
+-   GP name: *EnableCbacAndArmor*
-
+-   GP path: *System/Kerberos*
-<hr/>
+-   GP ADMX file name: *Kerberos.admx*
-
+
-<!--Policy-->
+<!--/ADMXBacked-->
-<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
+<!--/Policy-->
-
+
-<!--SupportedSKUs-->
+<hr/>
-<table>
+
-<tr>
+<!--Policy-->
-	<th>Home</th>
+<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
-	<th>Pro</th>
+
-	<th>Business</th>
+<!--SupportedSKUs-->
-	<th>Enterprise</th>
+<table>
-	<th>Education</th>
+<tr>
-	<th>Mobile</th>
+	<th>Home</th>
-	<th>Mobile Enterprise</th>
+	<th>Pro</th>
-</tr>
+	<th>Business</th>
-<tr>
+	<th>Enterprise</th>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<th>Education</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile Enterprise</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</table>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-<!--/SupportedSKUs-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-<!--Scope-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+</tr>
-
+</table>
-> [!div class = "checklist"]
+
-> * Device
+<!--/SupportedSKUs-->
-
+<!--Scope-->
-<hr/>
+[Scope](./policy-configuration-service-provider.md#policy-scope):
-
+
-<!--/Scope-->
+> [!div class = "checklist"]
-<!--Description-->
+> * Device
-This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
+
-
+<hr/>
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+
-
+<!--/Scope-->
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. 
+<!--Description-->
-
+This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
+
-
+Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+
-
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. 
-<!--/Description-->
+
-> [!TIP]
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. 
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
-
+If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
-
+<!--/Description-->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> [!TIP]
-
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-<!--ADMXBacked-->
+
-ADMX Info:  
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-   GP English name: *Fail authentication requests when Kerberos armoring is not available*
+
-   GP name: *ClientRequireFast*
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-   GP path: *System/Kerberos*
+
-   GP ADMX file name: *Kerberos.admx*
+<!--ADMXBacked-->
-
+ADMX Info:  
-<!--/ADMXBacked-->
+-   GP English name: *Fail authentication requests when Kerberos armoring is not available*
-<!--/Policy-->
+-   GP name: *ClientRequireFast*
-
+-   GP path: *System/Kerberos*
-<hr/>
+-   GP ADMX file name: *Kerberos.admx*
-
+
-<!--Policy-->
+<!--/ADMXBacked-->
-<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**  
+<!--/Policy-->
-
+
-<!--SupportedSKUs-->
+<hr/>
-<table>
+
-<tr>
+<!--Policy-->
-	<th>Home</th>
+<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**  
-	<th>Pro</th>
+
-	<th>Business</th>
+<!--SupportedSKUs-->
-	<th>Enterprise</th>
+<table>
-	<th>Education</th>
+<tr>
-	<th>Mobile</th>
+	<th>Home</th>
-	<th>Mobile Enterprise</th>
+	<th>Pro</th>
-</tr>
+	<th>Business</th>
-<tr>
+	<th>Enterprise</th>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<th>Education</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile Enterprise</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</table>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-<!--/SupportedSKUs-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-<!--Scope-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+</tr>
-
+</table>
-> [!div class = "checklist"]
+
-> * Device
+<!--/SupportedSKUs-->
-
+<!--Scope-->
-<hr/>
+[Scope](./policy-configuration-service-provider.md#policy-scope):
-
+
-<!--/Scope-->
+> [!div class = "checklist"]
-<!--Description-->
+> * Device
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.  
+
-
+<hr/>
-If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
+
-
+<!--/Scope-->
-If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+<!--Description-->
-
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.  
-<!--/Description-->
+
-> [!TIP]
+If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
-
+If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
-
+<!--/Description-->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> [!TIP]
-
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-<!--ADMXBacked-->
+
-ADMX Info:  
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-   GP English name: *Require strict KDC validation*
+
-   GP name: *ValidateKDC*
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-   GP path: *System/Kerberos*
+
-   GP ADMX file name: *Kerberos.admx*
+<!--ADMXBacked-->
-
+ADMX Info:  
-<!--/ADMXBacked-->
+-   GP English name: *Require strict KDC validation*
-<!--/Policy-->
+-   GP name: *ValidateKDC*
-
+-   GP path: *System/Kerberos*
-<hr/>
+-   GP ADMX file name: *Kerberos.admx*
-
+
-<!--Policy-->
+<!--/ADMXBacked-->
-<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**  
+<!--/Policy-->
-
+
-<!--SupportedSKUs-->
+<hr/>
-<table>
+
-<tr>
+<!--Policy-->
-	<th>Home</th>
+<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**  
-	<th>Pro</th>
+
-	<th>Business</th>
+<!--SupportedSKUs-->
-	<th>Enterprise</th>
+<table>
-	<th>Education</th>
+<tr>
-	<th>Mobile</th>
+	<th>Home</th>
-	<th>Mobile Enterprise</th>
+	<th>Pro</th>
-</tr>
+	<th>Business</th>
-<tr>
+	<th>Enterprise</th>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<th>Education</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<th>Mobile Enterprise</th>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
+<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</table>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-<!--/SupportedSKUs-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-<!--Scope-->
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+</tr>
-
+</table>
-> [!div class = "checklist"]
+
-> * Device
+<!--/SupportedSKUs-->
-
+<!--Scope-->
-<hr/>
+[Scope](./policy-configuration-service-provider.md#policy-scope):
-
+
-<!--/Scope-->
+> [!div class = "checklist"]
-<!--Description-->
+> * Device
-This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
+
-
+<hr/>
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. 
+
-
+<!--/Scope-->
-If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
+<!--Description-->
-
+This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. 
+
-
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. 
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+
-
+If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-<!--/Description-->
+
-> [!TIP]
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. 
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
-
+Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
-
+<!--/Description-->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> [!TIP]
-
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-<!--ADMXBacked-->
+
-ADMX Info:  
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-   GP English name: *Set maximum Kerberos SSPI context token buffer size*
+
-   GP name: *MaxTokenSize*
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-   GP path: *System/Kerberos*
+
-   GP ADMX file name: *Kerberos.admx*
+<!--ADMXBacked-->
-
+ADMX Info:  
-<!--/ADMXBacked-->
+-   GP English name: *Set maximum Kerberos SSPI context token buffer size*
-<!--/Policy-->
+-   GP name: *MaxTokenSize*
-<hr/>
+-   GP path: *System/Kerberos*
-
+-   GP ADMX file name: *Kerberos.admx*
-Footnote:
+
-
+<!--/ADMXBacked-->
-   1 - Added in Windows 10, version 1607.
+<!--/Policy-->
-   2 - Added in Windows 10, version 1703.
+
-   3 - Added in Windows 10, version 1709.
+<hr/>
-   4 - Added in Windows 10, version 1803.
+
-
+<!--Policy-->
-<!--/Policies-->
+<a href="" id="kerberos-upnnamehints"></a>**Kerberos/UPNNameHints**  
-
+
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
 Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 Footnote:
 -   1 - Added in Windows 10, version 1607.
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in the next major release of Windows 10.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@ -66,12 +66,59 @@ This security setting allows an administrator to define the members of a securit
 Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
 Starting in Windows 10, next major version, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
 ``` syntax
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">  
  <xs:simpleType name="member_name">
    <xs:restriction base="xs:string">
      <xs:maxLength value="255" />
    </xs:restriction>
  </xs:simpleType>
  <xs:element name="accessgroup">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="member" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Restricted Group Member</xs:documentation>
          </xs:annotation>
          <xs:complexType>
           <xs:attribute name="name" type="member_name" use="required"/>
          </xs:complexType>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="desc" type="member_name" use="required"/>
    </xs:complexType>
  </xs:element>
  <xs:element name="groupmembership">
    <xs:complexType>
       <xs:sequence>
          <xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
           <xs:annotation>
              <xs:documentation>Restricted Group</xs:documentation>
            </xs:annotation>
          </xs:element>
       </xs:sequence>
    </xs:complexType>
   </xs:element>
 </xs:schema>
 ```
 <!--/Description-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 <!--Example-->
 Here is an example:
 ```
 <groupmembership>
 <accessgroup desc="Administrators">
    <member name="Contoso\Alice" />
    <member name = "S-188-5-5666-5-688" / >
  </accessgroup>
 </groupmembership>
 ```
 <!--/Example-->
 <!--Validation-->
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@ -27,7 +27,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
    >[!NOTE]
    >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@ -5,7 +5,7 @@
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
 ## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 ### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
 ## Enhanced level Windows diagnostic data events and fields
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@ -23,6 +23,8 @@ The Basic level gathers a limited set of information that is critical for unders
 Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
 - [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
 - [Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709)
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@ -30,6 +30,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
 - [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
 - [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
 - [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
 - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -336,6 +336,7 @@
 #### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
 #### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
 ## [Security intelligence](intelligence/index.md)
 ## Other security features
 ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@ -0,0 +1,49 @@
 # [Security intelligence](index.md)
 ## [Understand malware & other threats](understanding-malware.md)
 ### [Prevent malware infection](prevent-malware-infection.md)
 ### [Malware names](malware-naming.md)
 ### [Coin miners](coinminer-malware.md)
 ### [Exploits and exploit kits](exploits-malware.md)
 ### [Macro malware](macro-malware.md)
 ### [Phishing](phishing.md)
 ### [Ransomware](ransomware-malware.md)
 ### [Rootkits](rootkits-malware.md)
 ### [Supply chain attacks](supply-chain-malware.md)
 ### [Tech support scams](support-scams.md)
 ### [Trojans](trojans-malware.md)
 ### [Unwanted software](unwanted-software.md)
 ### [Worms](worms-malware.md)
 ## [How Microsoft identifies malware and PUA](criteria.md)
 ## [Submit files for analysis](submission-guide.md)
 ## [Safety Scanner download](safety-scanner-download.md)
 ## [Industry collaboration programs](cybersecurity-industry-partners.md)
 ### [Virus information alliance](virus-information-alliance-criteria.md)
 ### [Microsoft virus initiative](virus-initiative-criteria.md)
 ### [Coordinated malware eradication](coordinated-malware-eradication.md)
 ## [Information for developers](developer-info.md)
 ### [Software developer FAQ](developer-faq.md)
 ### [Software developer resources](developer-resources.md)
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@ -0,0 +1,47 @@
 ---
 title: Coin miners
 description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself.
 keywords: security, malware, coin miners, protection, cryptocurrencies
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Coin miners
 Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.
 ## How coin miners work
 Many infections start with:
 - Email messages with attachments that try to install malware.
 - Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners.
 - Websites taking advantage of computer processing power by running scripts while users browse the website.
 Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
 Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources.
 Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
 ### Examples
 DDE exploits, which have been known to distribute ransomware, are now delivering miners.
 For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
 The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
 ## How to protect against coin miners
 **Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
 Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
 For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@ -0,0 +1,35 @@
 ---
 title: Coordinated Malware Eradication
 description: Information and criteria regarding CME
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 07/12/2018
 ---
 # Coordinated Malware Eradication
 ![coordinated-malware-eradication](images/CoordinatedMalware.png)
 Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
 CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses.
 ## Combining our tools, information, and actions
 Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
 In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns.
 ## Coordinated campaigns for lasting results
 Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive.
 ## Join the effort
 Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
 Please apply using our [membership application form](http://www.microsoft.com/security/portal/partnerships/apply.aspx) to get started.
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@ -0,0 +1,170 @@
 ---
 title: How Microsoft identifies malware and potentially unwanted applications
 description: criteria
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/01/2018
 ---
 # How Microsoft identifies malware and potentially unwanted applications
 Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices.
 Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article.
 You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions.
 Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
 ## Malware
 Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
 ### Malicious software
 Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities.
 Microsoft classifies most malicious software into one of the following categories:
 * **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC.
 * **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files.
 * **Dropper:** A type of malware that installs other malware files onto your PC. Unlike a downloader, a dropper doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
 * **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
 * **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC.
 * **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
 * **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
 * **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
 * **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md).
 * **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services.
 * **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC.
 * **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC.
 * **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
 ### Unwanted software
 Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
 #### Lack of choice
 You must be notified about what is happening on your PC, including what software does and whether it is active.
 Software that exhibits lack of choice might:
 * Fail to provide prominent notice about the behavior of the software and its purpose and intent.
 * Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
 * Install, reinstall, or remove software without your permission, interaction, or consent.
 * Install other software without a clear indication of its relationship to the primary software.
 * Circumvent user consent dialogs from the browser or operating system.
 * Falsely claim to be software from Microsoft.
 Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
 * Display exaggerated claims about your PC’s health.
 * Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
 * Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues.
 Software that stores or transmits your activities or data must:
 * Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data.
 #### Lack of control
 You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software.
 Software that exhibits lack of control might:
 * Prevent or limit you from viewing or modifying browser features or settings.
 * Open browser windows without authorization.
 * Redirect web traffic without giving notice and getting consent.
 * Modify or manipulate webpage content without your consent.
 Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified.
 #### Installation and removal
 You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or disable it.
 Software that delivers *poor installation experience* might bundle or download other "unwanted software" as classified by Microsoft.
 Software that delivers *poor removal experience* might:
 * Present confusing or misleading prompts or pop-ups while being uninstalled.
 * Fail to use standard install/uninstall features, such as Add/Remove Programs.
 #### Advertising and advertisements
 Software that promotes a product or service outside of the software itself can interfere with your computing experience. You should have clear choice and control when installing software that presents advertisements.
 The advertisements that are presented by software must:
 * Include an obvious way for users to close the advertisement. The act of closing the advertisement must not open another advertisement.
 * Include the name of the software that presented the advertisement.
 The software that presents these advertisements must:
 * Provide a standard uninstall method for the software using the same name as shown in the advertisement it presents.
 Advertisements shown to you must:
 * Be distinguishable from website content.
 * Not mislead, deceive, or confuse.
 * Not contain malicious code.
 * Not invoke a file download.
 #### Consumer opinion
 Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates definitions for software that meets the described criteria. These definitions identify the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
 ## Potentially unwanted application (PUA)
 Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences.
 *PUAs are not considered malware.*
 Microsoft uses specific categories and the category definitions to classify software as a PUA.
 * **Browser advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
 * **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
 * **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies.
 * **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.
 * **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.
 * **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
 * **Poor industry reputation:** Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@ -0,0 +1,39 @@
 ---
 title: Industry collaboration programs
 description: Describing the 3 industry collaboration programs
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 07/12/2018
 ---
 # Industry collaboration programs
 Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or assist in disrupting the malware ecosystem.
 ## Virus Information Alliance (VIA)
 The VIA program gives members access to information that will help improve protection for Microsoft customers. Malware telemetry and samples can be provided to security teams to help identify gaps in their protection, prioritize new threat coverage, or better respond to threats.
 **You must be a member of VIA if you want to apply for membership to the other programs.**
 Go to the [VIA program page](virus-information-alliance-criteria.md) for more information.
 ## Microsoft Virus Initiative (MVI)
 MVI is open to organizations who build and own a Real Time Protection (RTP) antimalware product of their own design, or one developed using a third-party antivirus SDK.
 Members get access to Microsoft client APIs for the Windows Defender Security Center, IOAV, AMSI, and Cloud Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are submitted to Microsoft for performance testing on a regular basis.
 Go to the [MVI program page](virus-initiative-criteria.md) for more information.
 ## Coordinated Malware Eradication (CME)
 CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting cybercrime.
 The program aims to bring organizations in cybersecurity and other industries together to pool tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our collective communities, customers, and businesses.
 Go to the [CME program page](coordinated-malware-eradication.md) for more information.
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@ -0,0 +1,41 @@
 ---
 title: Software developer FAQ
 description: This page provides answers to common questions we receive from software developers
 keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 # Software developer FAQ
 This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
 ## Does Microsoft accept files for a known list or false-positive prevention program?
 No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
 ## How do I dispute the detection of my program?
 Submit the file in question as a software developer. Wait until your submission has a final determination. 
 If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
 We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. 
 ## Why is Microsoft asking for a copy of my program?
 This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
 ## Why does Microsoft classify my installer as a software bundler?
 It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
 ## Why is the Windows Firewall blocking my program?
 This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
 ## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
 This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@ -0,0 +1,25 @@
 ---
 title: Information for developers
 description: This page provides answers to common questions we receive from software developers and other useful resources
 keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 ms.date: 07/13/2018
 ---
 # Information for developers
 Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
 ## In this section 
 Topic | Description 
 :---|:---
 [Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
 [Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest definitions and cloud protection from Microsoft.
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@ -0,0 +1,43 @@
 ---
 title: Software developer resources
 description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against definitions.
 keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 ms.date: 07/13/2018
 ---
 # Software developer resources
 Concerned about the detection of your software?
 If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
 Check out the following resources for information on how to submit and view submissions:
 - [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
 - [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
 ## Additional resources
 ### Detection criteria
 To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating malicious or potentially harmful code.
 For more information, see
 ### Developer questions
 Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
 For more information, see
 ### Scan your software
 Use Windows Defender Antivirus to check your software against the latest definitions and cloud protection from Microsoft.
 For more information, see
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@ -0,0 +1,56 @@
 ---
 title: Exploits and exploit kits
 description: Learn about exploits, how they can infect devices, and what you can do to protect yourself.
 keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Exploits and exploit kits
 Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
 ## How exploits and exploit kits work
 Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations.
 Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.
 The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
 The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited.
 ![example of how exploit kits work](./images/ExploitKit.png)
 *Example of how exploit kits work*
 Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
 Examples of exploit kits:
 - Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle)
 - [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino)
 - [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu)
 To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/)
 ## How we name exploits
 We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
 A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778.
 The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
 You can read more on the [CVE website](https://cve.mitre.org/).
 ## How to protect against exploits
 The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png
+++ b/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png
--- a/windows/security/threat-protection/intelligence/images/ExploitKit.png
+++ b/windows/security/threat-protection/intelligence/images/ExploitKit.png
--- a/windows/security/threat-protection/intelligence/images/NamingMalware1.png
+++ b/windows/security/threat-protection/intelligence/images/NamingMalware1.png
--- a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png
+++ b/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png
--- a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png
+++ b/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png
--- a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png
+++ b/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png
--- a/windows/security/threat-protection/intelligence/images/RealWorld0818.png
+++ b/windows/security/threat-protection/intelligence/images/RealWorld0818.png
--- a/windows/security/threat-protection/intelligence/images/SupplyChain.png
+++ b/windows/security/threat-protection/intelligence/images/SupplyChain.png
--- a/windows/security/threat-protection/intelligence/images/URLhover.png
+++ b/windows/security/threat-protection/intelligence/images/URLhover.png
--- a/windows/security/threat-protection/intelligence/images/WormUSB_flight.png
+++ b/windows/security/threat-protection/intelligence/images/WormUSB_flight.png
--- a/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png
+++ b/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png
--- a/windows/security/threat-protection/intelligence/images/av-test-logo.png
+++ b/windows/security/threat-protection/intelligence/images/av-test-logo.png
--- a/windows/security/threat-protection/intelligence/images/netflix.png
+++ b/windows/security/threat-protection/intelligence/images/netflix.png
--- a/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png
+++ b/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@ -0,0 +1,24 @@
 ---
 title: Security intelligence
 description: Safety tips about malware and how you can protect your organization
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Security intelligence
 Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs
 * [Understand malware & other threats](understanding-malware.md)
 * [How Microsoft identifies malware and PUA](criteria.md)
 * [Submit files for analysis](submission-guide.md)
 * [Safety Scanner download](safety-scanner-download.md)
 Keep up with the latest malware news and research. Check out our [Windows security blogs](http://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
 Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@ -0,0 +1,43 @@
 ---
 title: Macro malware
 description: Learn about how macro malware works, how it can infect devices, and what you can do to protect yourself.
 keywords: security, malware, macro, protection
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Macro malware
 Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.
 ## How macro malware works
 Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
 Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.
 We've seen macro malware download threats from the following families:
 * [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
 * [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
 * [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
 * [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) 
 * [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
 * [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
 ## How to protect against macro malware
 * Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
    * [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents
 * Don’t open suspicious emails or suspicious attachments.
 * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
 * Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@ -0,0 +1,176 @@
 ---
 title: Malware names
 description: Identifying malware vocabulary
 keywords: security, malware, names
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Malware names
 We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
 ![coordinated-malware-eradication](images/NamingMalware1.png)
 When our analysts research a particular threat, they will determine what each of the components of the name will be.
 ## Type
 Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are some of the most common types of malware.
 * Adware
 * Backdoor
 * Behavior
 * BrowserModifier
 * Constructor
 * DDoS
 * Exploit
 * Hacktool
 * Joke
 * Misleading
 * MonitoringTool
 * Program
 * PWS
 * Ransom
 * RemoteAccess
 * Rogue
 * SettingsModifier
 * SoftwareBundler
 * Spammer
 * Spoofer
 * Spyware
 * Tool
 * Trojan
 * TrojanClicker
 * TrojanDownloader
 * TrojanNotifier
 * TrojanProxy
 * TrojanSpy
 * VirTool
 * Virus
 * Worm
 ## Platforms
 Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work on. The platform is also used to indicate programming languages and file formats.
 ### Operating systems
 * AndroidOS: Android operating system
 * DOS: MS-DOS platform
 * EPOC: Psion devices
 * FreeBSD: FreeBSD platform
 * iPhoneOS: iPhone operating system
 * Linux: Linux platform
 * MacOS: MAC 9.x platform or earlier
 * MacOS_X: MacOS X or later
 * OS2: OS2 platform
 * Palm: Palm operating system
 * Solaris: System V-based Unix platforms
 * SunOS: Unix platforms 4.1.3 or lower
 * SymbOS: Symbian operating system
 * Unix: general Unix platforms
 * Win16: Win16 (3.1) platform
 * Win2K: Windows 2000 platform
 * Win32: Windows 32-bit platform
 * Win64: Windows 64-bit platform
 * Win95: Windows 95, 98 and ME platforms
 * Win98: Windows 98 platform only
 * WinCE: Windows CE platform
 * WinNT: WinNT
 ### Scripting languages
 * ABAP: Advanced Business Application Programming scripts
 * ALisp: ALisp scripts
 * AmiPro: AmiPro script
 * ANSI: American National Standards Institute scripts
 * AppleScript: compiled Apple scripts
 * ASP: Active Server Pages scripts
 * AutoIt: AutoIT scripts
 * BAS: Basic scripts
 * BAT: Basic scripts
 * CorelScript: Corelscript scripts
 * HTA: HTML Application scripts
 * HTML: HTML Application scripts
 * INF: Install scripts
 * IRC: mIRC/pIRC scripts
 * Java: Java binaries (classes)
 * JS: Javascript scripts
 * LOGO: LOGO scripts
 * MPB: MapBasic scripts
 * MSH: Monad shell scripts
 * MSIL: .Net intermediate language scripts
 * Perl: Perl scripts
 * PHP: Hypertext Preprocessor scripts
 * Python: Python scripts
 * SAP: SAP platform scripts
 * SH: Shell scripts
 * VBA: Visual Basic for Applications scripts
 * VBS: Visual Basic scripts
 * WinBAT: Winbatch scripts
 * WinHlp: Windows Help scripts
 * WinREG: Windows registry scripts
 ### Macros
 * A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
 * HE: macro scripting
 * O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
 * PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
 * V5M: Visio5 macros
 * W1M: Word1Macro
 * W2M: Word2Macro
 * W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
 * WM: Word 95 macros
 * X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
 * XF: Excel formulas
 * XM: Excel 95 macros
 ### Other file types
 * ASX: XML metafile of Windows Media .asf files
 * HC: HyperCard Apple scripts
 * MIME: MIME packets
 * Netware: Novell Netware files
 * QT: Quicktime files
 * SB: StarBasic (Staroffice XML) files
 * SWF: Shockwave Flash files
 * TSQL: MS SQL server files
 * XML: XML files
 ## Family
 Grouping of malware based on common characteristics, including attribution to the same authors. Security software providers sometimes use different names for the same malware family.
 ## Variant letter
 Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF" would have been created after the detection for the variant ".AE".
 ## Suffixes
 Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
 * .dam: damaged malware
 * .dll: Dynamic Link Library component of a malware
 * .dr: dropper component of a malware
 * .gen: malware that is detected using a generic signature
 * .kit: virus constructor
 * .ldr: loader component of a malware
 * .pak: compressed malware
 * .plugin: plug-in component
 * .remnants: remnants of a virus
 * .worm: worm component of that malware
 * !bit: an internal category used to refer to some threats
 * !cl: an internal category used to refer to some threats
 * !dha: an internal category used to refer to some threats
 * !pfn: an internal category used to refer to some threats
 * !plock: an internal category used to refer to some threats
 * !rfn: an internal category used to refer to some threats
 * !rootkit: rootkit component of that malware
 * @m: worm mailers
 * @mm: mass mailer worm
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@ -0,0 +1,139 @@
 ---
 title: Phishing
 description: Learn about how phishing work, deliver malware do your devices, and  what you can do to protect yourself
 keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Phishing
 Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.
 The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.  
 ## How phishing works
 Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information.
 Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
 Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you.
 ## Phishing trends and techniques
 ### Invoice phishing
 In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
 ### Payment/delivery scam
 You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier.  The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them.
 ### Tax-themed phishing scams
 A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
 ### Downloads
 Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in.
 ### Phishing emails that deliver other threats
 Phishing emails can be very effective, and so attackers can using them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
 We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
 ## Targeted attacks against enterprises
 ### Spear phishing
 Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target.
 Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
 The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
 ### Whaling
 Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.  
 ### Business email compromise
 Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers.
 ## How to protect against phishing attacks
 Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
 ### Awareness
 The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
 Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.
 Here are several telltale signs of a phishing scam:
 * The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
    ![example of how exploit kits work](./images/URLhover.png)
 * There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
 * **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters.
 * The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
 * The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this.
 * The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
 * The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john<span></span>@example.com.
 * There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
 * The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
 * The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
 * The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
 If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
 For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
 ### Software solutions for organizations
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
 * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.  Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
 * Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
 For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
 ## What do I do if I've already been a victim of a phishing scam?
 If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.
 ### Reporting spam
 Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/en-us/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
 For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676).
 Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved.
 ## Where to find more information about phishing attacks
 For information on the latest Phishing attacks, techniques, and trends, you can read these entries on the [Windows Security blog](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection):
 * [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
 * [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
 * [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@ -0,0 +1,117 @@
 ---
 title: Prevent malware infection
 description: Malware prevention best practices
 keywords: security, malware, prevention, infection, tips
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Prevent malware infection
 Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
 You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
 ## Keep software up-to-date
 [Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
 To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.
 ## Be wary of links and attachments
 Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails will give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
 * Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
 For more information, see [Phishing](phishing.md).
 ## Watch out for malicious or compromised websites
 By visiting malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware.  See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
 To identify potentially harmful websites, keep the following in mind:
 * The initial part (domain) of a website address should represent the company that owns the site you are visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If example<span></span>.com is spelled examp1e<span></span>.com, the site you are visiting is suspect.
 * Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.
 To block malicious websites, use a modern web browser like [Microsoft Edge](http://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) which identifies phishing and malware websites and checks downloads for malware.
 If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).
 ### Pirated material on compromised websites
 Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware.
 Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
 To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
 ## Don't attach unfamiliar removable drives
 Some types of malware can spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public places to victimize unsuspecting individuals.
 Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.
 ## Use a non-administrator account
 At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.
 By default, Windows uses [User Account Control (UAC)](https://docs.microsoft.com/windows/access-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
 To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.
 Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin privileges.
 [Read about creating user accounts and giving administrator privileges](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 ## Other safety tips
 To further ensure that data is protected from malware as well as other threats:
 * Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about/?ocid=cx-wdsi-articles) for reliable cloud-based copies that allows access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.
 * Be wary when connecting to public hotspots, particularly those that do not require authentication.
 * Use [strong passwords](https://support.microsoft.com/help/12410/microsoft-account-help-protect-account) and enable multi-factor authentication.
 * Do not use untrusted devices to log on to email, social media, and corporate accounts.
 ## Software solutions
 Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
 * [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up-to-date to get the latest protections.
 * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
 * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
 * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
 * [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
 * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
 * [Office 365 Advanced Threat Protection](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
 * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
 * [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free of charge.
 * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
 ### Earlier than Windows 10 (not recommended)
 * [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) provides real-time protection for your home or small business device that guards against viruses, spyware, and other malicious software.
 ## What to do with a malware infection
 Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@ -0,0 +1,61 @@
 ---
 title: Ransomware
 description: Learn about ransomware, how it works, and what you can do to protect yourself.
 keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Ransomware
 Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted.  
 The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks.
 ## How ransomware works
 Most ransomware infections start with:
 * Email messages with attachments that try to install ransomware.
 * Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
 Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
 Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses.
 ### Examples
 Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
 * Spora drops ransomware copies in network shares.
 * WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. 
 * A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
 Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
 Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom  to recover files.
 **Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
 ## How to protect against ransomware
 Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms.
 We recommend:
 * Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.  
 * Apply the latest updates to your operating systems and apps.
 * Educate your employees so they can identify social engineering and spear-phishing attacks.
 * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). It can stop ransomware from encrypting files and holding the files for ransom.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@ -0,0 +1,59 @@
 ---
 title: Rootkits
 description: Learn about rootkits, how they hide malware on your device, and what you can do to protect yourself.
 keywords: security, malware, rootkit, hide, protection, hiding
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Rootkits
 Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal information and resources.
 ## How rootkits work
 Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself.
 For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
 Many modern malware families use rootkits to try and avoid detection and removal, including:
 * [Alureon](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
 * [Cutwail](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
 * [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
 * [Rustock](http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
 * [Sinowal](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
 * [Sirefef](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
 ## How to protect against rootkits
 Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
 * Apply the latest updates to operating systems and apps.
 * Educate your employees so they can be wary of suspicious websites and emails.
 * Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
 ### What if I think I have a rootkit on my device?
 Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
 [Windows Defender Offline](http://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
 [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
 ### What if I can’t remove a rootkit?
 If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup.
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@ -0,0 +1,43 @@
 ---
 title: Microsoft Safety Scanner Download
 description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: high
 ms.author: dansimp
 author: dansimp
 ms.date: 08/01/2018
 ---
 # Microsoft Safety Scanner
 Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
 - [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) 
 - [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732)
 Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
 > **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/en-us/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
 ## System requirements
 Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/en-us/lifecycle).
 ## How to run a scan
 1. Download this tool and open it.
 2. Select the type of scan you want run and start the scan.
 3. Review the scan results displayed on screen. The tool lists all identified malware.
 To remove this tool, delete the executable file (msert.exe by default).
 For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/en-us/kb/2520970).
 ## Related resources
 - [Troubleshooting Safety Scanner](https://support.microsoft.com/en-us/kb/2520970)
 - [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
 - [Microsoft Security Essentials](https://support.microsoft.com/en-us/help/14210/security-essentials-download)
 - [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
 - [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
 - [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@ -0,0 +1,76 @@
 ---
 title: How Microsoft identifies malware and potentially unwanted applications
 description: criteria
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/01/2018
 ---
 # Submit files for analysis
 If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis. This page has answers to some common questions about submitting a file for analysis.
 ## How do I send a malware file to Microsoft?
 You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
 We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
 If you sign in before you submit a sample, you will be able to track your submissions.
 ## Can I send a sample by email?
 No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
 ## Can I submit a sample without signing in?
 Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view the status of the submission.
 If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance.
 ## What is the Software Assurance ID (SAID)?
 The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx) is for enterprise customers to track support entitlements. The submission portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority submissions.
 ### How do I dispute the detection of my program?
 [Submit the file](https://www.microsoft.com/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
 If you’re not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
 We encourage all software vendors and developers to read about [how Microsoft identifies malware and unwanted software](criteria.md).
 ## How do I track or view past sample submissions?
 You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
 If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission.
 ## What does the submission status mean?
 Each submission is shown to be in one of the following status types:
 * Submitted—the file has been received
 * In progress—an analyst has started checking the file
 * Closed—a final determination has been given by an analyst
 If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
 ## How does Microsoft prioritize submissions
 Processing submissions take dedicated analyst resource. Because we regularly receive a large number of submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
 * Prevalent files with the potential to impact large numbers of computers are prioritized.
 * Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given priority.
 * Submissions flagged as high priority by SAID holders are given immediate attention.
 Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check for updates to the determination, select rescan on the submission details page.
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@ -0,0 +1,57 @@
 ---
 title: Supply chain attacks
 description: Learn about how supply chain attacks work, deliver malware do your devices, and  what you can do to protect yourself
 keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Supply chain attacks
 Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.  
 ## How supply chain attacks work
 Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.  
 Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.  
 The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.
 ### Types of supply chain attacks
 * Compromised software building tools or updated infrastructure
 * Stolen code-sign certificates or signed malicious apps using the identity of dev company
 * Compromised specialized code shipped into hardware or firmware components
 * Pre-installed malware on devices (cameras, USB, phones, etc.)
 To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/).
 ## How to protect against supply chain attacks
 * Deploy strong code integrity policies to allow only authorized apps to run.
 * Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities.
 ### For software vendors and developers
 * Take steps to ensure your apps are not compromised.
 * Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
  * Immediately apply security patches for OS and software.
  * Require multi-factor authentication for admins.
 * Build secure software update processes as part of the software development lifecycle.
 * Develop an incident response process for supply chain attacks.
 For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@ -0,0 +1,63 @@
 ---
 title: Tech Support Scams
 description: Learn about how supply chain attacks work, deliver malware do your devices, and  what you can do to protect yourself
 keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Tech support scams
 Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
 ## How tech support scams work
 Scammers may call you directly on your phone and pretend to be representatives of a software company. They might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company. They can then ask you to install applications that give them remote access to your device. Using remote access, these experienced scammers can misrepresent normal system output as signs of problems.
 Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an indicated technical support hotline. Note that Microsoft error and warning messages never include phone numbers.
 When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in the form of a one-time fee or subscription to a purported support service.
 **For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams).**
 ## How to protect against tech support scams
 Share and implement the general tips on how to [prevent malware infection](prevent-malware-infection.md).
 It is also important to keep the following in mind:
 * Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer.
 * Any communication with Microsoft has to be initiated by you.
 * Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone number.
 * Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the author’s knowledge to bundle support scam malware and other threats.
 * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
 * Enable Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
 ## What to do if information has been given to a tech support person
 * Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device
 * Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.
 * Change passwords.
 * Call your credit card provider to reverse the charges, if you have already paid.
 * Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you would not normally access.
 ### Reporting tech support scams
 Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
 **www.microsoft.com/reportascam**
 You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@ -0,0 +1,42 @@
 ---
 title: Trojan malware
 description: Learn about how trojans work, deliver malware do your devices, and  what you can do to protect yourself.
 keywords: security, malware, protection, trojan, download, file, infection 
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Trojans
 Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them.
 Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan thinking that it is a legitimate app.
 ## How trojans work
 Trojans can come in many different varieties, but generally they do the following:
 - Download and install other malware, such as viruses or [worms](worms-malware.md).
 - Use the infected device for click fraud.
 - Record keystrokes and websites visited.
 - Send information about the infected device to a malicious hacker including passwords, login details for websites, and browsing history.
 - Give a malicious hacker control over the infected device.
 ## How to protect against trojans
 Use the following free Microsoft software to detect and remove it:
 - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
 - [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@ -0,0 +1,39 @@
 ---
 title: Understanding malware & other threats
 description: Learn about the different types of malware, how they work, and what you can do to protect yourself.
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Understanding  malware & other threats
 Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more.
 Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
 As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP), businesses can stay protected with next-generation protection and other security capabilities.
 For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
 There are many types of malware, including:
 - [Coin miners](coinminer-malware.md)
 - [Exploits and exploit kits](exploits-malware.md)
 - [Macro malware](macro-malware.md)
 - [Phishing](phishing.md)
 - [Ransomware](ransomware-malware.md)
 - [Rootkits](rootkits-malware.md)
 - [Supply chain attacks](supply-chain-malware.md)
 - [Tech support scams](support-scams.md)
 - [Trojans](trojans-malware.md)
 - [Unwanted software](unwanted-software.md)
 - [Worms](worms-malware.md)
 Keep up with the latest malware news and research. Check out our [Windows security blogs](http://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
 Learn more about [Windows security](https://docs.microsoft.com/en-us/windows/security/index).
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@ -0,0 +1,60 @@
 ---
 title: Unwanted software
 description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself.
 keywords: security, malware, protection, unwanted, software, alter, infect
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Unwanted software
 Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings.
 ## How unwanted software works
 Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they are packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded.
 Here are some indications of unwanted software:
 - There are programs that you did not install and that may be difficult to uninstall
 - Browser features or settings have changed, and you can’t view or modify them
 - There are excessive messages about your device's health or about files and programs
 - There are ads that cannot be easily closed
 Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
 Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
 ## How to protect against unwanted software
 To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites.
 Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index) (also used by Internet Explorer).
 Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
 Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
 ### What should I do if my device is infected? 
 If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission).
 Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**.
 1. Select the Start button
 2. Go to **Settings > Apps > Apps & features**.
 3. Select the app you want to uninstall, then click **Uninstall**.
 If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you did not install.
 You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@ -0,0 +1,51 @@
 ---
 title: Virus Information Alliance
 description: Information and criteria regarding VIA
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 07/12/2018
 ---
 # Virus Information Alliance
 The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime.
 Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers.
 ## Better protection for customers against malware
 The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage.
 Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
 Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers.
 ## Becoming a member of VIA
 Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers.
 Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
 VIA has an open enrollment for potential members.
 ### Initial selection criteria
 To be eligible for VIA your organization must:
 1. Be willing to sign a non-disclosure agreement with Microsoft.
 2. Fit into one of the following categories:
   * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
   * Your organization provides security services to Microsoft customers or for Microsoft products.
   * Your organization publishes antimalware testing reports on a regular basis.
   * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
 3. Be willing to sign and adhere to the VIA membership agreement.
 If your organization wants to apply and meets this criteria, you can apply using our [membership application form](http://www.microsoft.com/security/portal/partnerships/apply.aspx).
 If you have any questions, you can also contact us using our [partnerships contact form](http://www.microsoft.com/security/portal/partnerships/contactus.aspx).
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@ -0,0 +1,57 @@
 ---
 title: Microsoft Virus Initiative
 description: Information and criteria regarding MVI
 keywords: security, malware
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 07/12/2018
 ---
 # Microsoft Virus Initiative
 The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
 Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers.
 MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences.
 MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community.
 ## Join MVI
 A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology.
 The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product.
 ### Initial selection criteria
 Your organization must meet the following eligibility requirements to participate in the MVI program:
 1. Offer an antimalware or antivirus product that is one of the following:
   * Your organization's own creation.
   * Licensed from another organization, but your organization adds value such as additional definitions to its signatures.
   * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions).
 2. Have your own malware research team unless you distribute a Whitebox product.
 3. Be active and have a positive reputation in the antimalware industry. Your organization is:
   * Certified through independent testing by an industry standard organization such as [ICSA Labs](https://www.icsalabs.com/), [West Coast Labs](http://www.westcoastlabs.com/), [PCSL IT Consulting Institute](https://www.pitci.net/), or [SKD Labs](http://www.skdlabs.com/html/english/).
   * Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner.
 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
 5. Be willing to sign a program license agreement.
 6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows.
 7. Submit your AM app to Microsoft for periodic performance testing.
 ### Apply to MVI
 If your organization wants to apply and meets this criteria, you can apply using our [membership application form](http://www.microsoft.com/security/portal/partnerships/apply.aspx).
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@ -0,0 +1,48 @@
 ---
 title: Worms
 description: Learn about worms, how they infect devices, and what you can do to protect yourself.
 keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
 ms.localizationpriority: medium
 ms.author: ellevin
 author: levinec
 ms.date: 08/17/2018
 ---
 # Worms
 A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.
 ## How worms work
 Worms represent a large category of malware. Different worms use different methods to infect devices.  Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
 Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics.
 * **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.
 * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
 * **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
 Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
 * [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
 This image shows how a worm can quickly spread through a shared USB drive.
 ![Worm example](./images/WormUSB_flight.png)
 ### *Figure worm spreading from a shared USB drive*
 ## How to protect against worms
 Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
 Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
 In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
 For more general tips, see [prevent malware infection](prevent-malware-infection.md).
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@ -21,6 +21,7 @@
 ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@ -0,0 +1,32 @@
 ---
 title: Windows Defender Application Control and .NET Hardening (Windows 10)
 description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: morganbr
 ms.date: 08/20/2018
 ---
 # Windows Defender Application Control and .NET hardening 
 Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. 
 Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. 
 Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. 
 When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. 
 Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. 
 Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. 
 Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. 
 Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. 
 To enable Dynamic Code Security, add the following option to the <Rules> section of your policy: 
 ```xml
 <Rule> 
    <Option>Enabled:Dynamic Code Security</Option> 
 </Rule>
 ```
		`@ -1 +1 @@`
			`Use the [Provision Favorites](../available-policies.md#provision-favorites) in place of Configure Favorites.`				`Discontinued in Windows 10, version 1810. Use the [Provision Favorites](../available-policies.md#provision-favorites) policy instead.`