Merge branch 'master' into vs-win10gdproverview

2025-05-15 14:57:23 +00:00 · 2017-09-12 07:12:59 -07:00 · 2017-09-12 07:12:59 -07:00 · 87802525a6
commit 87802525a6
parent 5dd4f46b60 5ac9e36612
41 changed files with 282 additions and 32 deletions
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@ -40,3 +40,6 @@ Learn about managing and updating Surface Hub.
 | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
 | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|

+## Related topics
+
+- [View Power BI presentation mode on Surface Hub & Windows 10](https://powerbi.microsoft.com/documentation/powerbi-mobile-win10-app-presentation-mode/)
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@ -100,5 +100,6 @@
 #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
 ## [Service Host process refactoring](svchost-service-refactoring.md)
+## [Per User services in Windows](per-user-services-in-windows.md)
 ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
 ## [Change history for Application management](change-history-for-application-management.md)
--- a/windows/application-management/media/gpp-hklm.png
+++ b/windows/application-management/media/gpp-hklm.png
--- a/windows/application-management/media/gpp-per-user-services.png
+++ b/windows/application-management/media/gpp-per-user-services.png
--- a/windows/application-management/media/gpp-svc-disabled.png
+++ b/windows/application-management/media/gpp-svc-disabled.png
--- a/windows/application-management/media/gpp-svc-start.png
+++ b/windows/application-management/media/gpp-svc-start.png
--- a/windows/application-management/media/regedit-change-service-startup-type.png
+++ b/windows/application-management/media/regedit-change-service-startup-type.png
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@ -0,0 +1,169 @@
+---
+title: Per-user services in Windows 10 and Windows Server 2016
+description: Learn about per-user services introduced in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: elizapo
+author: lizap
+ms.date: 08/14/2017
+---
+
+# Per-user services in Windows 10 and Windows Server 2016
+
+Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. 
+
+> [!NOTE]
+> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
+
+You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**.
+
+> [!IMPORTANT]
+> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. 
+
+Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
+
+## Per-user services
+
+Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly.
+
+| Key name               | Display name                            | Default start type | Dependencies | Description                                                                                                                                                                           |
+|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| CDPUserSvc             | CDPUserSvc                              | Auto               |              | Used for Connected Devices Platform scenarios                                                                                                                                         |
+| OneSyncSvc             | Sync Host                               | Auto (delayed)     |              | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running.              |
+| PimIndexMaintenanceSvc | Contact Data                            | Manual             | UnistoreSvc  | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts.                                                  |
+| UnistoreSvc            | User Data Storage                       | Manual             |              | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly.      |
+| UserDataSvc            | User Data Access                        | Manual             | UnistoreSvc  | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. |
+| WpnUserService         | Windows Push Notifications User Service | Manual             |              | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw.                                        |
+
+## Disable per-user services
+
+The template service isn't displayed in the Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a per-user service.
+
+> [!NOTE]
+> Disabling a per-user service simply means that it is created in a stopped and disabled state. When the user signs out, the per-user service is removed.
+
+You can't manage all of the per-user service templates services using normal Group Policy management methods. Because the per-user services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. 
+
+Additionally, there are four template services that can't be managed with a security template:
+- PimIndexMaintenanceSvc
+- UnistoreSvc
+- UserDataSvc
+- WpnUserService
+
+In light of these restrictions, you can use the following methods to manage per-user services template services:
+
+- A combination of a security template and a script or Group Policy preferences registry policy
+- Group Policy preferences for all of the services
+- A script for all of the services
+
+### Manage template services using a security template
+
+You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information.
+
+device-security/security-policy-settings/administer-security-policy-settings
+
+For example: 
+
+```
+[Unicode]
+Unicode=yes
+[Version]
+signature="$CHICAGO$"
+Revision=1
+[Service General Setting]
+"CDPUserSVC".4,""
+```
+
+### Manage template services using Group Policy preferences
+
+If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences.
+
+1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**.
+
+2. Create a new Group Policy Object (GPO) or use an existing GPO.  
+
+3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor.
+
+4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry.
+
+5. Right-click **Registry** > **New** > **Registry Item**.
+
+   ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) 
+   
+6. Make sure that  HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
+
+   ![Choose HKLM](media/gpp-hklm.png)  
+    
+7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
+
+   ![Select Start](media/gpp-svc-start.png)   
+   
+8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. 
+
+   ![Startup Type is Disabled](media/gpp-svc-disabled.png)   
+   
+9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.  
+
+### Managing Template Services with reg.exe
+
+If you cannot use GPP to manage the per-user services you can edit the registry with reg.exe. 
+To disable the Template Services change the Startup Type for each service to 4 (disabled). 
+For example:
+
+```code
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
+``` 
+
+> [!CAUTION]
+> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
+
+### Managing Template Services with regedit.exe 
+
+If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
+
+![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) 
+
+> [!CAUTION]
+> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
+
+### Manage template services by modifying the Windows image
+
+If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.
+
+### Use a script to manage per-user services
+
+You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment.
+
+Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396):
+
+```
+sc.exe configure <service name> start= disabled
+```
+Note that the space after "=" is intentional.
+
+Sample script using the [Set-Service PowerShell cmdlet](https://technet.microsoft.com/library/ee176963.aspx):
+
+```powershell
+Set-Service <service name> -StartupType Disabled
+```
+
+## View per-user services in the Services console (services.msc)
+
+As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the <service name>_LUID format (where LUID is the locally unique identifier).
+
+For example, you might see the following per-user services listed in the Services console:
+
+- CPDUserSVC_443f50
+- ContactData_443f50
+- Sync Host_443f50
+- User Data Access_443f50
+- User Data Storage_443f50
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1044,6 +1044,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Education/PreventAddingNewPrinters</li>
 <li>Education/PrinterNames</li>
 <li>Security/ClearTPMIfNotReady</li>
+<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
 <li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
 <li>Update/DisableDualScan</li>
 <li>Update/ScheduledInstallEveryWeek</li>
@ -1335,6 +1336,31 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

 ## Change history in MDM documentation

+### September 2017
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>Search/AllowCloudSearch</li>
+<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
+
 ### August 2017

 <table class="mx-tdBreakAll">
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -2646,6 +2646,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-system.md#system-disablesystemrestore" id="system-disablesystemrestore">System/DisableSystemRestore</a>
  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
+  </dd>
  <dd>
    <a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -572,7 +572,7 @@ ms.date: 08/30/2017

 <p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..

-Value type is string.
+<p style="margin-left: 20px">Value type is string.

 <!--EndDescription-->
 <!--EndPolicy-->
@ -609,7 +609,9 @@ Value type is string.

 <p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.

-Value type is string.
+<p style="margin-left: 20px">For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
+
+<p style="margin-left: 20px">Value type is string.

 <!--EndDescription-->
 <!--EndPolicy-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -554,6 +554,51 @@ ADMX Info:
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
+<a href="" id="system-limitenhanceddiagnosticdatawindowsanalytics"></a>**System/LimitEnhancedDiagnosticDataWindowsAnalytics**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This policy setting, in combination with the System/AllowTelemetry 
+ policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. 
+ 
+<p style="margin-left: 20px">To enable this behavior you must complete two steps:
+<ul>
+<li>Enable this policy setting</li>
+<li>Set Allow Telemetry to level 2 (Enhanced)</li>
+</ul>
+ 
+<p style="margin-left: 20px">When you configure these policy settings, a basic level of  diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594).
+ 
+<p style="margin-left: 20px">Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft.
+   
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
+
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
 <a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**  

 <!--StartSKU-->
--- a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # Configure Windows Defender Application Guard policy settings
--- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # Frequently asked questions - Windows Defender Application Guard 
--- a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # Prepare and install Windows Defender Application Guard
--- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # System requirements for Windows Defender Application Guard
--- a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # Testing scenarios using Windows Defender Application Guard in your business or organization
--- a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---

 # Windows Defender Application Guard overview
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@ -73,5 +73,9 @@ Your data will be kept for a period of at least 90 days, during which it will be


 ## Can Microsoft help us maintain regulatory compliance?
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards.
-By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
+Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications.
+
+
+By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
+
+For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001). 
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@ -38,7 +38,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros

 -	Windows 10 Enterprise E5
 -	Windows 10 Education E5
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
+- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).

--- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@ -79,6 +79,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t

 8.	Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
    
+    >[NOTE]
+    >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
+
    ![Power BI options page](images/atp-powerbi-options.png)
    
 9. Restart Power BI Desktop.
--- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # How to collect Windows Information Protection (WIP) audit event logs
--- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
--- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # General guidance and best practices for Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Limitations while using Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Create a Windows Information Protection (WIP) policy
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Protect your enterprise data using Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Testing scenarios for Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Using Outlook on the web with Windows Information Protection (WIP)
--- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---

 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)