diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 9467b896ff..5453323c70 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 02/27/2018
+ms.date: 03/22/2018
---
# MultiSIM CSP
@@ -30,9 +30,13 @@ Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem
**_ModemID_/Identifier**
Modem ID.
+Supported operation is Get. Value type is string.
+
**_ModemID_/IsEmbedded**
Indicates whether this modem is embedded or external.
+Supported operation is Get. Value type is bool.
+
**_ModemID_/Slots**
Represents all SIM slots in the Modem.
@@ -42,17 +46,110 @@ Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format i
**_ModemID_/Slots/_SlotID_/Identifier**
Slot ID.
+Supported operation is Get. Value type is integer.
+
**_ModemID_/Slots/_SlotID_/IsEmbedded**
Indicates whether this Slot is embedded or a physical SIM slot.
+Supported operation is Get. Value type is bool.
+
**_ModemID_/Slots/_SlotID_/IsSelected**
Indicates whether this Slot is selected or not.
+Supported operation is Get and Replace. Value type is bool.
+
**_ModemID_/Slots/_SlotID_/State**
Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
+Supported operation is Get. Value type is integer.
+
**_ModemID_/Policies**
Policies associated with the Modem.
**_ModemID_/Policies/SlotSelectionEnabled**
-Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
\ No newline at end of file
+Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
+
+Supported operation is Get and Replace. Value type is bool.
+
+## Examples
+
+Get modem
+``` syntax
+
+
+
+ 1
+ -
+
+
+ ./Vendor/MSFT/MultiSIM
+
+
+
+
+
+
+
+```
+
+Get slots
+``` syntax
+
+
+
+ 1
+ -
+
+
+ ./Vendor/MSFT/MultiSIM/Embedded/Slots
+
+
+
+
+
+
+
+```
+
+Get slot state
+``` syntax
+
+
+
+ 1
+ -
+
+
+ ./Vendor/MSFT/MultiSIM/Embedded/Slots/Embedded/State
+
+
+
+
+
+
+
+```
+
+Select slot
+``` syntax
+
+
+
+ 1
+ -
+
+
+ ./Vendor/MSFT/MultiSIM/Embedded/Slots/0/IsSelected
+
+
+
+ bool
+ text/plain
+
+ true
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 5904341127..af947d4d1e 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1671,11 +1671,19 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.
+Added a new section:
+
+- [Policies supported by GP](policy-configuration-service-provider.md#policies-supported-by-gp) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
+
| [Policy CSP - Bluetooth](policy-csp-bluetooth.md) |
Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).
|
+
+| [MultiSIM CSP](multisim-csp.md) |
+Added SyncML examples and updated the settings descriptions.
+ |
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 914f916fa6..df4189187b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4462,6 +4462,42 @@ The following diagram shows the Policy configuration service provider in tree fo
- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+
+## Policies supported by Windows Holographic for Business
+
+- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Settings/AllowDateTime](#settings-allowdatetime)
+- [Settings/AllowVPN](#settings-allowvpn)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+
+
## Policies that can be set using Exchange Active Sync (EAS)
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index c084709cd0..932edbd301 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -4493,14 +4493,6 @@ Footnote:
## Privacy policies supported by Windows Holographic for Business
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
-- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
-- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
-- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
-- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
-- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 05ea62503f..4d1ebc58cb 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -313,217 +313,217 @@ The following tables provide descriptions of the default groups that are located
Yes |
Yes |
-
+
[Enterprise Key Admins](#bkmk-enterprise-key-admins) |
Yes |
|
|
|
-
+
[Enterprise Read-only Domain Controllers](#bkmk-entrodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Event Log Readers](#bkmk-eventlogreaders) |
Yes |
Yes |
Yes |
Yes |
-
+
[Group Policy Creator Owners](#bkmk-gpcreatorsowners) |
Yes |
Yes |
Yes |
Yes |
-
+
[Guests](#bkmk-guests) |
Yes |
Yes |
Yes |
Yes |
-
+
[Hyper-V Administrators](#bkmk-hypervadministrators) |
Yes |
Yes |
Yes |
|
-
+
[IIS_IUSRS](#bkmk-iis-iusrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Key Admins](#key-admins) |
Yes |
|
|
|
-
+
[Network Configuration Operators](#bkmk-networkcfgoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Log Users](#bkmk-perflogusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Monitor Users](#bkmk-perfmonitorusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[Print Operators](#bkmk-printoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Protected Users](#bkmk-protectedusers) |
Yes |
Yes |
|
|
-
+
[RAS and IAS Servers](#bkmk-rasandias) |
Yes |
Yes |
Yes |
Yes |
-
+
[RDS Endpoint Servers](#bkmk-rdsendpointservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Management Servers](#bkmk-rdsmanagementservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers) |
Yes |
Yes |
Yes |
|
-
+
[Read-only Domain Controllers](#bkmk-rodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Desktop Users](#bkmk-remotedesktopusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Management Users](#bkmk-remotemanagementusers) |
Yes |
Yes |
Yes |
|
-
+
[Replicator](#bkmk-replicator) |
Yes |
Yes |
Yes |
Yes |
-
+
[Schema Admins](#bkmk-schemaadmins) |
Yes |
Yes |
Yes |
Yes |
-
+
[Server Operators](#bkmk-serveroperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Storage Replica Administrators](#storage-replica-administrators) |
Yes |
|
|
|
-
+
[System Managed Accounts Group](#system-managed-accounts-group) |
Yes |
|
|
|
-
+
[Terminal Server License Servers](#bkmk-terminalserverlic) |
Yes |
Yes |
Yes |
Yes |
-
+
[Users](#bkmk-users) |
Yes |
Yes |
Yes |
Yes |
-
+
[Windows Authorization Access Group](#bkmk-winauthaccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-) |
|
Yes |
@@ -1763,8 +1763,25 @@ This security group has not changed since Windows Server 2008.
-
+### Enterprise Key Admins
+Members of this group can perform administrative actions on key objects within the forest.
+
+The Enterprise Key Admins group was introduced in Windows Server 2016.
+
+| Attribute | Value |
+|-----------|-------|
+| Well-Known SID/RID | S-1-5-21-<domain>-527 |
+| Type | Global |
+| Default container | CN=Users, DC=<domain>, DC= |
+| Default members | None |
+| Default member of | None |
+| Protected by ADMINSDHOLDER? | No |
+| Safe to move out of default container? | Yes |
+| Safe to delegate management of this group to non-Service admins? | No |
+| Default User Rights | None |
+
+
### Enterprise Read-Only Domain Controllers
Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
@@ -2233,7 +2250,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Attribute | Value |
|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-4195037842-338827918-94892514-526 |
+| Well-Known SID/RID | S-1-5-21-<domain>-526 |
| Type | Global |
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |