Merge remote-tracking branch 'refs/remotes/origin/master' into msfb-12117408

windows/client-management/mdm/TOC.md

@@ -142,6 +142,7 @@
 #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
 ### [FileSystem CSP](filesystem-csp.md)
 ### [Firewall CSP](firewall-csp.md)
+#### [Firewall DDF file](firewall-ddf-file.md)
 ### [HealthAttestation CSP](healthattestation-csp.md)
 #### [HealthAttestation DDF](healthattestation-ddf.md)
 ### [HotSpot CSP](hotspot-csp.md)

windows/client-management/mdm/configuration-service-provider-reference.md

@@ -1148,6 +1148,34 @@ The following tables show the configuration service providers support in Windows
 <!--EndSKU-->
 <!--EndCSP-->
 
+<!--StartCSP-->
+[Firewall CSP](firewall-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [HealthAttestation CSP](healthattestation-csp.md)  
 

windows/client-management/mdm/firewall-csp.md

@@ -217,6 +217,11 @@ The following diagram shows the Firewall configuration service provider in tree
 If not specified - a new rule is disabled by default.</p>
 <p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
 
+<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
+<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. .  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
 <p style="margin-left: 20px">Specifies the action for the rule.</p>
 <p style="margin-left: 20px">Supported operation is Get.</p>
@@ -229,14 +234,43 @@ If not specified - a new rule is disabled by default.</p>
 </ul>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
+<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
+<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
+<ul>
+<li>IN - the rule applies to inbound traffic.</li>
+<li>OUT - the rule applies to outbound traffic.</li>
+<li>If not specified, the default is IN.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
+<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
+<ul>
+<li>RemoteAccess</li>
+<li>Wireless</li>
+<li>MobileBroadband</li>
+<li>All</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
 <p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
+<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
+<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
+<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
+<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
 <p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
+<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
+<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
 <a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
 <p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -850,6 +850,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added a section describing SyncML examples of various ADMX elements.</p>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">New topic.</td>
+</tr>
+<tr class="odd">
 <td style="vertical-align:top">[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)</td>
 <td style="vertical-align:top"><p>Added a new topic describing how to deploy and configure App-V apps using MDM.</p>
 </td></tr>
@@ -1158,6 +1162,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### June 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top">Added the following nodes:
+<ul>
+<li>Profiles</li>
+<li>Direction</li>
+<li>InterfaceTypes</li>
+<li>EdgeTraversal</li>
+<li>Status</li>
+</ul>
+Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
+</tbody>
+</table>
+
 ### May 2017
 
 <table>

windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md

@@ -24,8 +24,27 @@ author: nickbrower
 
 Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
 
-When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys.
+When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:
 
+- Software\Policies\Microsoft\Office\
+- Software\Microsoft\Office\
+- Software\Microsoft\Windows\CurrentVersion\Explorer\
+- Software\Microsoft\Internet Explorer\
+- software\policies\microsoft\shared tools\proofing tools\
+- software\policies\microsoft\imejp\
+- software\policies\microsoft\ime\shared\
+- software\policies\microsoft\shared tools\graphics filters\
+- software\policies\microsoft\windows\currentversion\explorer\
+- software\policies\microsoft\softwareprotectionplatform\
+- software\policies\microsoft\officesoftwareprotectionplatform\
+- software\policies\microsoft\windows\windows search\preferences\
+- software\policies\microsoft\exchange\
+- software\microsoft\shared tools\proofing tools\
+- software\microsoft\shared tools\graphics filters\
+- software\microsoft\windows\windows search\preferences\
+- software\microsoft\exchange\
+- software\policies\microsoft\vba\security\
+- software\microsoft\onedrive 
 
 ## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
 

windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md

@@ -33,7 +33,7 @@ You'll also see additional links for:
 - Reporting on Windows Defender Antivirus protection
 
 > [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. 
 
 
 Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options  

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md

@@ -36,12 +36,12 @@ author: iaanw
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
-See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
 
 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
 
 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
+- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
 
 
 ## Related topics