Got on-premises AD and plan to move your organization’s identity management to the cloud? Do a one-time sync using Azure AD Connect.Minimal hybrid migration.
-
+
You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno)
## To set up Windows 10 devices using OOBE
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 6177eb9d53..b2a9e67e9d 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.topic: get-started
-localizationpriority: high
+ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
@@ -206,8 +206,15 @@ Now that you've bought the apps, use Intune for Education to specify the group t
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
+
+
+> [!div class="step-by-step"]
+[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+
## Related topic
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 105a60374a..6c9b89cb9d 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.topic: get-started
-localizationpriority: high
+ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
@@ -170,9 +170,14 @@ To learn more about the CSV files that are required and the info you need to inc
That's it for importing sample school data using SDS.
+
+> [!div class="step-by-step"]
+[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+[Enable Microsoft Teams for your school >>](enable-microsoft-teams.md)
## Related topic
[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/index.md b/education/index.md
index 07b21e2952..bb44bf632a 100644
--- a/education/index.md
+++ b/education/index.md
@@ -45,6 +45,24 @@ ms.author: celested
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index 48b59392b8..30aa3f0ba5 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -16,6 +16,7 @@
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md)
+## [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 1c612e211e..699111447d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -8,19 +8,27 @@ ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 07/10/2017
+ms.date: 08/01/2017
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## August 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
+| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
+
## July 2017
| New or changed topic | Description |
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index f88c07f4b1..94d98ad536 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu, devices
-localizationpriority: high
+ms.localizationpriority: high
author: craigash
ms.author: celested
---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 4cbabcfdff..c7c048afcb 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -4,7 +4,9 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons
keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.prod: w10
+ms.pagetype: edu
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 06/19/2017
@@ -16,7 +18,7 @@ ms.date: 06/19/2017
- Windows 10
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 70f71c103a..677ecadbb9 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: craigash
ms.author: celested
---
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 6c6ecf4977..e83be61c46 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: craigash
ms.author: celested
---
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 7d76300a59..b6da8e4c04 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,7 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, as
keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 06/19/2017
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 05fc30932c..4a2fc0fdf9 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -5,7 +5,7 @@ keywords: school, Microsoft Store for Education, Microsoft education store
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
searchScope:
- Store
author: trudyha
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
index 3d04278dc0..5fe066fdea 100644
--- a/education/windows/get-minecraft-device-promotion.md
+++ b/education/windows/get-minecraft-device-promotion.md
@@ -5,7 +5,7 @@ keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: trudyha
searchScope:
- Store
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 6879e99b63..172533af8e 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -5,7 +5,7 @@ keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: trudyha
searchScope:
- Store
diff --git a/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG
new file mode 100644
index 0000000000..22df144bdc
Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_summary_073117.PNG b/education/windows/images/suspc_createpackage_summary_073117.PNG
new file mode 100644
index 0000000000..c0e4b04723
Binary files /dev/null and b/education/windows/images/suspc_createpackage_summary_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG
new file mode 100644
index 0000000000..4a4ec886a5
Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 33b03ce19c..e84bfe7051 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
@@ -40,10 +40,10 @@ ms.author: celested
##  Deploy
-
[Set up Windows devices for education](set-up-windows-10.md) Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
+
[Set up Windows devices for education](set-up-windows-10.md) Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) Get step-by-step guidance to help you deploy Windows 10 in a school environment.
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
-
Try it out: Windows 10 deployment (for education) Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
##  Switch
@@ -65,3 +65,7 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
## Related topics
- [Microsoft Education documentation and resources](https://docs.microsoft.com/education)
- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
+
+
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 188a7df1a6..572ace9f5f 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -5,7 +5,7 @@ keywords: Minecraft, Education Edition, IT admins, acquire
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: trudyha
searchScope:
- Store
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 120247f9d3..89cd5cab6a 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index d33c9d5620..b85706e38d 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -5,7 +5,7 @@ keywords: school, student PC setup, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 32d966f479..660b765246 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -2,10 +2,11 @@
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
-ms.prod: W10
+ms.prod: w10
+ms.pagetype: edu
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 00647deb81..1498a9f5a3 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md
index 1619f08a9a..5e73aec703 100644
--- a/education/windows/switch-to-pro-education.md
+++ b/education/windows/switch-to-pro-education.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5da7470ad4..e1c9c918d3 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -6,9 +6,10 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
+ms.date: 08/07/2017
---
# Take a Test app technical reference
@@ -50,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
+## Group Policy
+
+To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
+
+| Functionality | Group Policy path | Policy |
+| --- | --- | --- |
+| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
+| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
+| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
+| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
+| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
+
## Allowed functionality
When Take a Test is running, the following functionality is available to students:
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index ba5ffb4d9d..64fbb7095c 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 71827e3366..b21ff39bef 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 94b00c53fa..9f2282eb80 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 49e449f751..4873c007c6 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -5,7 +5,7 @@ keywords: school, Minecraft, Education Edition, educators, teachers, acquire, di
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: trudyha
searchScope:
- Store
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
new file mode 100644
index 0000000000..f84864aaaf
--- /dev/null
+++ b/education/windows/test-windows10s-for-edu.md
@@ -0,0 +1,243 @@
+---
+title: Test Windows 10 S on existing Windows 10 education devices
+description: Provides guidance on downloading and testing Windows 10 S for existing Windows 10 education devices.
+keywords: Windows 10 S, try, download, school, education, Windows 10 S installer, existing Windows 10 education devices
+ms.mktglfcycl: deploy
+ms.prod: w10
+ms.pagetype: edu
+ms.sitesec: library
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 08/07/2017
+---
+
+# Test Windows 10 S on existing Windows 10 education devices
+
+**Applies to:**
+- Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise
+
+The Windows 10 S self-installer will allow you to test Windows 10 S on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Please test Windows 10 S on a variety of devices in your school and share your feedback with us.
+
+Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2).
+
+Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
+
+**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+
+**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store.
+
+As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
+
+## Before you install Windows 10 S
+
+### Important information
+
+Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
+* Is intended for education customers to test compatibility with existing hardware
+* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
+* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
+* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 S is limited to Store apps only
+
+ > [!WARNING]
+ > You can install Windows 10 S on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 S on Windows 10 Home devices as you won't be able to activate it.
+
+* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
+
+Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
+
+Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
+* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
+
+ See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+
+* Install the latest Windows Update.
+
+ To do this, go to **Settings > Update & security > Windows Update**.
+
+* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 S.
+
+ See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this.
+
+## Supported devices
+
+The Windows 10 S install will install and activate on the following editions of Windows 10 in use by schools:
+* Windows 10 Pro
+* Windows 10 Pro Education
+* Windows 10 Education
+* Windows 10 Enterprise
+
+Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 S installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 S installer.
+
+### Preparing your device to install drivers
+
+Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 S.
+
+### Supported devices and drivers
+
+Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
+
+
+
+| | | |
+| - | - | - |
+| Acer | American Future Tech | Asus |
+| Atec | Axdia | Casper |
+| Cyberpower | Daewoo | Daten |
+| Fujitsu | Global K | HP |
+| LANIT Trading | Lenovo | LG |
+| MCJ | Micro P/Exertis | Microsoft |
+| MSI | Panasonic | Positivo SA |
+| Positivo da Bahia | Samsung | Tongfang |
+| Toshiba | Trekstor | Trigem |
+| Vaio | Wortmann |
+
+
+> [!NOTE]
+> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
+
+
+
+## Kept files
+
+Back up all your data before installing Windows 10 S. Only personal files may be kept during installation. Your settings and apps will be deleted.
+
+> [!NOTE]
+> All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later.
+
+## Domain join
+
+Windows 10 S does not support non-Azure Active Directory domain accounts. Before installing Windows 10 S, you must have at least one of these administrator accounts:
+- Local administrator
+- Microsoft Account (MSA) administrator
+- Azure Active Directory administrator
+
+> [!WARNING]
+> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 S.
+
+We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 S in case you run into this issue.
+
+## Installing Office applications
+
+After installing Windows 10 S, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 S (Education preview). You must have an Office license to activate the applications once they are installed.
+
+
+## Switch to previously installed Windows 10 editions
+
+If Windows 10 S is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
+* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
+* If you try Windows 10 S and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
+
+## Device recovery
+
+Before installing Windows 10 S, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 S.
+
+### Create a recovery drive
+To create a recovery drive, follow these steps.
+
+1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
+2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
+3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
+
+ A lot of files need to be copied to the recovery drive so this might take a while.
+
+4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
+
+### Go back to your previous edition of Windows 10
+
+Alternatively, for a period of 10 days after you install Windows 10 S, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**.
+
+To go back, you need to:
+* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
+* Remove any user accounts you added after the upgrade.
+
+If going back is not available:
+* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
+* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+
+### Use installation media to reinstall Windows 10
+
+> [!WARNING]
+> This will remove all your personal files, apps, and installed drivers. apps and customizations from your PC manufacturer, and changes you made to **Settings**.
+
+To use an installation media to reinstall Windows 10, follow these steps.
+
+1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
+2. Download the Media Creation Tool and then run it.
+3. Select **Create installation media for another PC**.
+4. Choose a language, edition, and architecture (64-bit or 32-bit).
+5. Follow the steps to create an installation media and then select **Finish**.
+6. Connect the installation media that you created to your non-functional PC, and then turn it on.
+7. On the initial setup screen, enter your language and other preferences, and then select **Next**.
+
+ If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
+
+8. Select **Install now**.
+9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
+10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
+11. On the **Which type of installation do you want?** page, select **Custom**.
+12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
+13. When you're done formatting, select **Next**.
+14. Follow the rest of the setup instructions to finish installing Windows 10.
+
+## Download Windows 10 S
+Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
+
+When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
+
+> [!div class="nextstepaction" style="center"]
+> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
+
+After you install Windows 10 S, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
+
+## Terms and Conditions
+Because you’re installing Windows 10 S on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
+
+## Support
+Thank you for testing Windows 10 S. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 S on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 S, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 S with your feedback.
+
+Common support questions for the Windows 10 S test program:
+
+* **How do I activate if I don't have a Windows 10 S product key?**
+
+ As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 S and it will automatically activate. Testing Windows 10 S on a device running Windows 10 Home is not recommended and supported at this time.
+
+* **Will my OEM help me run Windows 10 S?**
+
+ OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 S. When testing Windows 10 S, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
+
+* **What happens when I run Reset or Fresh Start on Windows 10 S?**
+
+ **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 S. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 S.
+
+* **What if I want to move from Windows 10 S to Windows 10 Pro?**
+
+ If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, ther emay be a cost to acquire a Windows 10 Pro license in the Store.
+
+For help with activation issues, click on the appropriate link below for support options.
+* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.
+* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/en-us/contactus/) website and choose a support option.
+
+
+
+1 Internet access fees may apply.
+2 Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.
+
+
+
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 87744a18d7..21e94929b9 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 07/10/2017
+ms.date: 08/01/2017
---
# Use the Set up School PCs app
@@ -119,7 +119,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
2. Click **Get started**.
-3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
+3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
@@ -140,7 +140,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
5. Click **Next**.
-4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
+4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
@@ -152,7 +152,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
-5. To assign a name to the student PCs, in the **Name these devices** page:
+5. To assign a name to the student PCs, in the **Name these devices** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
> [!NOTE]
@@ -162,7 +162,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
2. Click **Next**.
-6. To specify other settings for the student PC, in the **Configure student PC settings** page:
+6. To specify other settings for the student PC, in the **Configure student PC settings** page:
- Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
> [!NOTE]
@@ -186,44 +186,45 @@ The **Set up School PCs** app guides you through the configuration choices for t
When you're doing configuring the student PC settings, click **Next**.
-7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
- 1. Enter the assessment URL.
+7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+ 1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
+ 3. Enter the assessment URL.
- If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+ You can leave the URL blank so that students can enter one later. This enables teachers to use the the Take a Test account for daily quizzes or tests by having students manually enter a URL.
**Figure 5** - Configure the Take a Test app
- 
+ 
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
-8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
+8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)**
* Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
* When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
* **Minecraft: Education Edition** - Free trial
* Popular **STEM and Makerspace apps**
- 1. Select the apps that you would like to provision and then click **Next** when you're done.
+ 1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
2. Click **Skip** if you don't want to provision any apps.
- **Figure 6** - Select from a set of recommended Microsoft Store apps
+ **Figure 6** - Select from a set of recommended apps
- 
+ 
The set of recommended Microsoft Store for Education apps may vary from what we show here.
-9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
+9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
**Figure 7** - Review your settings and change them as needed
- 
+ 
2. Click **Accept**.
-10. In the **Insert a USB drive now** page:
+10. In the **Insert a USB drive now** page:
1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
3. Click **Save** to save the provisioning package to the USB drive.
@@ -238,7 +239,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
-12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
+12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 10** - Line up the student PCs and get them ready for setup
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index f25dbdafb2..1b6b32c8a9 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
author: CelesteDG
ms.author: celested
---
@@ -27,7 +27,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-For Cortana1,
+For Cortana[1](#footnote1),
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
@@ -60,7 +60,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
-* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
+* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
@@ -69,4 +69,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
-1 Cortana available in select markets; experience may vary by region and device.
+1 Cortana available in select markets; experience may vary by region and device.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 20edf8efe4..567bc31c42 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -288,9 +288,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc
Sourcepath = "\\Server\Office2016”
-
Branch (attribute of Add element)
-
Optional. Specifies the update branch for the product that you want to download or install.
For more information about update branches, see Overview of update branches for Office 365 ProPlus.
-
Branch = "Business"
+
Channel (attribute of Add element)
+
Optional. Specifies the update channel for the product that you want to download or install.
For more information about update channels, see Overview of update channels for Office 365 ProPlus.
+
Channel="Deferred"
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index bfe000fee3..574338d185 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
[ SMS_Report (TRUE) ]
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
string EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index 832f226de7..bef23c5b02 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
//===================================================
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
@@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
// Microsoft BitLocker Administration and Monitoring
//===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy_64
{
@@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+ #pragma namespace ("\\\\.\\root\\cimv2")
+ #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
index 78d2526dde..bb53d965cc 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
@@ -69,30 +69,27 @@ The following diagram and table describe the recommended high-level architecture
-Server
-Features to configure on this server
-Description
-Database Server
+### Database Server
-Recovery Database
+#### Recovery Database
This feature is configured on a computer running Windows Server and supported SQL Server instance.
The **Recovery Database** stores recovery data that is collected from MBAM Client computers.
-Audit Database
+#### Audit Database
This feature is configured on a computer running Windows Server and supported SQL Server instance.
The **Audit Database** stores audit activity data that is collected from client computers that have accessed recovery data.
-Reports
+#### Reports
This feature is configured on a computer running Windows Server and supported SQL Server instance.
The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services.
-Configuration Manager Primary Site Server
+### Configuration Manager Primary Site Server
System Center Configuration Manager Integration feature
@@ -104,9 +101,9 @@ System Center Configuration Manager Integration feature
- The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software.
-Administration and Monitoring Server
+### Administration and Monitoring Server
-Administration and Monitoring Website
+#### Administration and Monitoring Website
This feature is configured on a computer running Windows Server.
@@ -116,13 +113,13 @@ The **Administration and Monitoring Website** is used to:
- View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console.
-Self-Service Portal
+#### Self-Service Portal
This feature is configured on a computer running Windows Server.
The **Self-Service Portal** is a website that enables end users on client computers to independently log on to a website to get a recovery key if they lose or forget their BitLocker password.
-Monitoring web services for this website
+#### Monitoring web services for this website
This feature is installed on a computer running Windows Server.
@@ -133,9 +130,9 @@ The Monitoring Web Service is no longer available in Microsoft BitLocker Adminis
-Management Workstation
+### Management Workstation
-MBAM Group Policy Templates
+#### MBAM Group Policy Templates
- The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption.
@@ -146,9 +143,9 @@ MBAM Group Policy Templates
-MBAM Client and Configuration Manager Client computer
+### MBAM Client and Configuration Manager Client computer
-MBAM Client software
+#### MBAM Client software
The **MBAM Client**:
@@ -158,7 +155,7 @@ The **MBAM Client**:
- Collects recovery information and computer information about the client computers.
-Configuration Manager Client
+#### Configuration Manager Client
The **Configuration Manager Client** enables Configuration Manager to collect hardware compatibility data about the client computers and report compliance information.
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index 5c94f5c77b..791868131d 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -20,7 +20,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
**How to download and deploy the MDOP Group Policy templates**
-1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=54957)
+1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
2. Run the downloaded file to extract the template folders.
diff --git a/microsoft-365/TOC.md b/microsoft-365/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/microsoft-365/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/microsoft-365/docfx.json b/microsoft-365/docfx.json
new file mode 100644
index 0000000000..585130e915
--- /dev/null
+++ b/microsoft-365/docfx.json
@@ -0,0 +1,37 @@
+{
+ "build": {
+ "content": [
+ {
+ "files": [
+ "**/*.md"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**",
+ "README.md",
+ "LICENSE",
+ "LICENSE-CODE",
+ "ThirdPartyNotices"
+ ]
+ }
+ ],
+ "resource": [
+ {
+ "files": [
+ "**/*.png",
+ "**/*.jpg"
+ ],
+ "exclude": [
+ "**/obj/**",
+ "**/includes/**"
+ ]
+ }
+ ],
+ "overwrite": [],
+ "externalReference": [],
+ "globalMetadata": {},
+ "fileMetadata": {},
+ "template": [],
+ "dest": "microsoft-365"
+ }
+}
\ No newline at end of file
diff --git a/microsoft-365/index.md b/microsoft-365/index.md
index 867e2c8492..9680f85fcc 100644
--- a/microsoft-365/index.md
+++ b/microsoft-365/index.md
@@ -1 +1,68 @@
-# Placeholder
\ No newline at end of file
+---
+layout: HubPage
+hide_bc: true
+author: v-kents
+ms.author: celested
+ms.topic: hub-page
+title: Microsoft 365 Documentation
+description: Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
+---
+
+
+
Microsoft 365 Documentation
+
+
+
+
+
+
+
+
[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
+
\ No newline at end of file
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 03cd9ba0ba..0b9807c98b 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -21,6 +21,7 @@
### [Manage private store settings](manage-private-store-settings.md)
### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
+### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
## [Device Guard signing portal](device-guard-signing-portal.md)
### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
@@ -29,4 +30,5 @@
### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
+## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md
index a0af9518aa..aa700ada3e 100644
--- a/store-for-business/acquire-apps-windows-store-for-business.md
+++ b/store-for-business/acquire-apps-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Acquire apps in Microsoft Store for Business and Education
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index 4bc1451628..0f6cc91a16 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.date: 07/05/2107
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage Windows device deployment with Windows AutoPilot Deployment
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 46c453edf1..c3c6701559 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Add unsigned app to code integrity policy
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
index 379618509a..062c2dbeef 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-windows-store-for-business.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+ms.author: TrudyHa
+ms.date: 06/29/2017
---
# App inventory management for Microsoft Store for Business and Education
@@ -165,4 +167,16 @@ You can download offline-licensed apps from your inventory. You'll need to downl
For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
+
+## Manage products programmatically
+
+Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business).
+
+You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to:
+- View items in inventory (**Apps & software**)
+- Manage licenses - assigning and removing
+- Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
+
+> [!NOTE]
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.
\ No newline at end of file
diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-windows-store-for-business.md
index 4c037486e6..116d6a33fa 100644
--- a/store-for-business/apps-in-windows-store-for-business.md
+++ b/store-for-business/apps-in-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Apps in Microsoft Store for Business and Education
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index b2c821a77a..ff20b5bbab 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Assign apps to employees
diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md
index 455c12dea0..2074e51990 100644
--- a/store-for-business/configure-mdm-provider-windows-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure an MDM provider
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 4365cacfe3..f2fdf4a8d4 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Device Guard signing
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index f93a4ac288..1b56b97f4b 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Distribute apps using your private store
diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
index 21a610dc18..dc3de6e6a7 100644
--- a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Distribute apps to your employees from Microsoft Store for Business and Education
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index befde0855e..557c355557 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Distribute apps with a management tool
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 72078b74da..1d3c0b70b4 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Distribute offline apps
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index fd460d3479..2a4a9e8fba 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Find and acquire apps
diff --git a/store-for-business/images/lob-sku.png b/store-for-business/images/lob-sku.png
new file mode 100644
index 0000000000..8637fd3f3d
Binary files /dev/null and b/store-for-business/images/lob-sku.png differ
diff --git a/store-for-business/index.md b/store-for-business/index.md
index f8fca9deb1..47bb90b981 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Microsoft Store for Business and Education
diff --git a/store-for-business/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-windows-store-for-business-overview.md
index f88cdcd26a..e5c6524871 100644
--- a/store-for-business/manage-apps-windows-store-for-business-overview.md
+++ b/store-for-business/manage-apps-windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage apps in Microsoft Store for Business and Education
diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-windows-store-for-business.md
index eb5218d9ec..08da797130 100644
--- a/store-for-business/manage-orders-windows-store-for-business.md
+++ b/store-for-business/manage-orders-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage app orders in Microsoft Store for Business and Education
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 470e99fbed..af833aefb3 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage private store settings
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md
index 906f3174a0..f9592cd92e 100644
--- a/store-for-business/manage-settings-windows-store-for-business.md
+++ b/store-for-business/manage-settings-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage settings for Microsoft Store for Business and Education
diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-windows-store-for-business.md
index f2cc141ca7..eb0834b8b6 100644
--- a/store-for-business/manage-users-and-groups-windows-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage user accounts in Microsoft Store for Business and Education
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
new file mode 100644
index 0000000000..b36cf701fa
--- /dev/null
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -0,0 +1,155 @@
+---
+title: Microsoft Store for Business and Education PowerShell module - preview
+description: Preview version of PowerShell module
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+localizationpriority: high
+ms.author:
+ms.date:
+---
+
+# Microsoft Store for Business and Education PowerShell module - preview
+
+**Applies to**
+- Windows 10
+
+Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
+
+> [!NOTE]
+> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+You can use the PowerShell module to:
+- View items you've purchased - shown in **Apps & software**
+- Manage licenses - assigning and removing
+- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
+
+>[!NOTE]
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+
+## Requirements
+To use the Microsoft Store for Business and Education PowerShell module, you'll need:
+- Administrator permission for the device
+- Admin role for Microsoft Store for Business and Education
+
+
+## Get started with Microsoft Store for Business and Education PowerShell module
+All of the **Microsoft Store for Business and Education** PowerShell cmdlets follow the *Verb*-MSStore*Noun* pattern to clearly indicate that they work with **Microsoft Store for Business and Education** PowerShell module. You will need to install the module on your Windows 10 device once and then import it into each PowerShell session you start.
+
+## Install Microsoft Store for Business and Education PowerShell module
+> [!NOTE]
+> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
+
+To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
+
+```powershell
+# Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
+
+Install-Module -Name MSStore
+
+```
+
+## Import MIcrosoft Store for Business and Education PowerShell module into the PowerShell session
+Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start.
+
+```powershell
+# Import the MSStore module into this session
+
+Import-Module -Name MSStore
+
+```
+
+Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module.
+
+To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant.
+
+```powershell
+# Grant MSStore Access to your Microsoft Store for Business and Education
+
+Grant-MSStoreClientAppAccess
+
+```
+You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
+
+## View items in Products and Services
+Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview.
+
+```powershell
+# View items in inventory (Apps & software)
+
+Get-MSStoreInventory
+
+```
+
+>[!TIP]
+>**Get-MSStoreInventory** won't return the product name for line-of-business apps. To get the product ID and SKU for a line-of-business app:
+>
+>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
+>2. Click **Manage** and then choose **Apps & software**.
+>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
+>
+
+## View people assigned to a product
+Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
+
+```powershell
+# View products assigned to people
+
+Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
+
+```
+
+> [!Important]
+> Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs.
+
+
+| License Type | Product ID | SKU ID |
+| ------------ | -----------| -------|
+| Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 |
+| Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 |
+| Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 |
+| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 |
+
+## Assign or reclaim products
+Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org.
+
+These commands assign a product to a user and then reclaim it.
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+```
+
+## Assign or reclaim a product with a .csv file
+You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module.
+
+**To assign or reclaim seats in bulk:**
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
+
+```
+
+## Uninstall Microsoft Store for Business and Education PowerShell module
+You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command.
+
+```powershell
+# Uninstall the MSStore Module
+
+Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
+
+```
\ No newline at end of file
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index cb657a21ef..0d541ce0d6 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Notifications in Microsoft Store for Business and Education
diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-windows-store-for-business.md
index c76035ac35..a07a501b9e 100644
--- a/store-for-business/prerequisites-windows-store-for-business.md
+++ b/store-for-business/prerequisites-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Prerequisites for Microsoft Store for Business and Education
diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md
index 7a3cd37936..8b3a7e74a3 100644
--- a/store-for-business/roles-and-permissions-windows-store-for-business.md
+++ b/store-for-business/roles-and-permissions-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Roles and permissions in Microsoft Store for Business and Education
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md
index 08ce28a32e..09fbf09a41 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Settings reference: Microsoft Store for Business and Education
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index 668514a725..ed0904b3ee 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -8,7 +8,7 @@ ms.pagetype: store
author: TrudyHa
ms.author: TrudyHa
ms.date: 07/12/2107
-localizationpriority: high
+ms.localizationpriority: high
---
# Change history for Microsoft Store for Business and Microsoft Store for Education
@@ -18,9 +18,17 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
+
+
## June 2017
| New or changed topic | Description |
| -------------------- | ----------- |
+| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
| [Get Minecraft: Education Edition with Windows 10 device promotion](https://docs.microsoft.com/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
@@ -29,6 +37,7 @@ localizationpriority: high
| New or changed topic | Description |
| -------------------- | ----------- |
| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | New. Information about Windows AutoPilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index 28adabcee9..09775ac8fe 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Sign code integrity policy with Device Guard signing
diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-windows-store-for-business-overview.md
index 8b61671bfe..496e92c40e 100644
--- a/store-for-business/sign-up-windows-store-for-business-overview.md
+++ b/store-for-business/sign-up-windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Sign up and get started
diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-windows-store-for-business.md
index f716149cbc..cd3f6bd322 100644
--- a/store-for-business/sign-up-windows-store-for-business.md
+++ b/store-for-business/sign-up-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Sign up for Microsoft Store for Business or Microsoft Store for Education
diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-windows-store-for-business.md
index b12f94afae..2443391b42 100644
--- a/store-for-business/troubleshoot-windows-store-for-business.md
+++ b/store-for-business/troubleshoot-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Troubleshoot Microsoft Store for Business
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
index f559f6b1b4..f88eec0840 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Update Microsoft Store for Business and Microsoft Store for Education account settings
@@ -56,6 +56,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business
- Lithuania
- Luxembourg
- Malta
+- Monaco
- Netherlands
- Norway
- Poland
@@ -75,7 +76,9 @@ These countries can provide their VAT number or local equivalent in **Payments &
| Australia | ABN (optional) |
| Brazil | CNPJ (required) |
| India | GSTIN (optional), PAN ID (required) |
+| Isle of Man | VAT ID (optional) |
| New Zealand | GST Registration number (optional) |
+| Monaco | VAT ID (optional) |
| Taiwan | VAT ID (optional) |
### Tax-exempt status
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
index 7dcb8615a4..0ec624a13e 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Microsoft Store for Business and Microsoft Store for Education overview
@@ -157,16 +157,20 @@ For more information, see [Manage settings in the Store for Business](manage-set
Microsoft Store for Business and Education is currently available in these markets.
-### Support for free and paid apps
+### Support for free and paid products
-
Support for free and paid apps
+
Supports all free and paid products
+
Afghanistan
Algeria
+
Andorra
Angola
+
Anguilla
+
Antigua and Barbuda
Argentina
Australia
Austria
@@ -177,41 +181,48 @@ Microsoft Store for Business and Education is currently available in these marke
Belgium
Belize
Bermuda
+
Benin
Bhutan
Bolivia
+
Bonaire
Botswana
Brunei Darussalam
Bulgaria
+
Burundi
Cambodia
Cameroon
Canada
-
Republic of Cabo Verde
Cayman Islands
Chile
Colombia
+
Comoros
Costa Rica
Côte D'ivoire
Croatia
Curçao
Cyprus
-
-
-
-
Czech Republic
Denmark
Dominican Republic
Ecuador
+
+
+
+
Egypt
El Salvador
Estonia
+
Ethiopia
Faroe Islands
Fiji
Finland
France
+
French Guiana
+
French Polynesia
Germany
Ghana
Greece
+
Greenland
Guadeloupe
Guatemala
Honduras
@@ -225,29 +236,42 @@ Microsoft Store for Business and Education is currently available in these marke
Italy
Jamaica
Japan
+
Jersey
Jordan
-
Kenya
-
-
-
-
+
Kenya
Kuwait
+
Laos
Latvia
Lebanon
Libya
Liechtenstein
Lithuania
Luxembourg
+
Macedonia
+
Madagascar
+
+
+
+
+
Malawi
Malaysia
+
Maldives
+
Mali
Malta
+
Marshall Islands
+
Martinique
Mauritius
+
Mayotte
Mexico
Mongolia
Montenegro
Morocco
Mozambique
+
Myanamar
Namibia
+
Nepal
Netherlands
+
New Caledonia
New Zealand
Nicaragua
Nigeria
@@ -256,48 +280,60 @@ Microsoft Store for Business and Education is currently available in these marke
Pakistan
Palestinian Authority
Panama
+
Papua New Guinea
Paraguay
Peru
Philippines
-
Poland
+
Poland
+
Portugal
+
Puerto Rico
+
Qatar
+
Republic of Cabo Verde
+
Reunion
+
Romania
+
Rwanda
+
Saint Kitts and Nevis
-
Portugal
-
Puerto Rico
-
Qatar
-
Romania
-
Rwanda
-
Saint Kitts and Nevis
+
Saint Lucia
+
Saint Martin
+
Saint Vincent and the Grenadines
+
San marino
Saudi Arabia
Senegal
Serbia
+
Seychelles
Singapore
+
Sint Maarten
Slovakia
Slovenia
South Africa
Spain
+
Sri Lanka
+
Suriname
Sweden
Switzerland
Tanzania
Thailand
+
Timor-Leste
+
Togo
+
Tonga
Trinidad and Tobago
Tunisia
Turkey
+
Turks and Caicos Islands
Uganda
United Arab Emirates
United Kingdom
-
United States
-
-
-
-
+
United States
Uruguay
+
Vatican City
Viet Nam
Virgin Islands, U.S.
Zambia
-
Zimbabwe
+
Zimbabwe
@@ -317,8 +353,10 @@ Customers in these markets can use Microsoft Store for Business and Education to
- Brazil
- Georgia
- India
+- Isle of Man
- Kazakhstan
- Korea
+- Monaco
- Republic of Moldova
- Taiwan
- Tajikistan
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index ca39d9903b..1c683c1be0 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Working with line-of-business apps
diff --git a/windows/access-protection/access-control/access-control.md b/windows/access-protection/access-control/access-control.md
index 006ffb29ab..018b69744e 100644
--- a/windows/access-protection/access-control/access-control.md
+++ b/windows/access-protection/access-control/access-control.md
@@ -114,7 +114,7 @@ User rights grant specific privileges and sign-in rights to users and groups in
User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
-For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
## Object auditing
diff --git a/windows/access-protection/configure-s-mime.md b/windows/access-protection/configure-s-mime.md
index 61abd34c67..d2b4456dc9 100644
--- a/windows/access-protection/configure-s-mime.md
+++ b/windows/access-protection/configure-s-mime.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/access-protection/credential-guard/additional-mitigations.md
index 706bdef10b..fe6a8ad882 100644
--- a/windows/access-protection/credential-guard/additional-mitigations.md
+++ b/windows/access-protection/credential-guard/additional-mitigations.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index 1663325a24..482e4b2c85 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-how-it-works.md b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
index da731369ea..45c936d341 100644
--- a/windows/access-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index d3b2ea0fff..2241fb465d 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
@@ -15,14 +15,32 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
-The following known issue has been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
-- [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+
+ This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
+
+
+- [KB4033236 Two incorrect logon attempts sent to Active Directory after Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+
+ This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
+
+ - Windows 10 Version 1607 and Windows Server 2016:
+ [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217)
+ - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
+ - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
+
+## Known issues involving third-party applications
+
+The following issue affects the Java GSS API. See the following Oracle bug database article:
+
+- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
+
+When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
- This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and
-[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
The following issue affects Cisco AnyConnect Secure Mobility Client:
@@ -43,7 +61,7 @@ The following issue affects Citrix applications:
[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
-- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/en-us/help/4032786)
+- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index ee41c90cff..67a4d93402 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
index bce8580dfb..3d3e584993 100644
--- a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
index f159c931c3..5cdc85cd2c 100644
--- a/windows/access-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 0053b52421..789d0e690d 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
@@ -22,10 +22,9 @@ in the Deep Dive into Credential Guard video series.
For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
-
## Hardware and software requirements
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
+To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@@ -75,25 +74,26 @@ The following tables describe baseline protections, plus protections for improve
### Baseline protections
-|Baseline Protections | Description |
-|---------------------------------------------|----------------------------------------------------|
+|Baseline Protections | Description | Security benefits
+|---|---|---|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**, plus **extended page tables** | **Requirements**: These hardware features are required for VBS: One of the following virtualization extensions: • VT-x (Intel) or • AMD-V And: • Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Hardware: **CPU virtualization extensions**, plus **extended page tables** | **Requirements**: These hardware features are required for VBS: One of the following virtualization extensions: • VT-x (Intel) or • AMD-V And: • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
|Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
+
### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
| Protections for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • BIOS password or stronger authentication must be supported. • In the BIOS configuration, BIOS authentication must be set. • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**: • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • BIOS password or stronger authentication must be supported. • In the BIOS configuration, BIOS authentication must be set. • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | **Security benefits**: • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation | **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
@@ -102,11 +102,11 @@ The following tables describe baseline protections, plus protections for improve
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-| Protections for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**: Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**: • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. • HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**: • Enterprises can choose to allow proprietary EFI drivers/applications to run. • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security | Description |Security Benefits |
+|---|---|---|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**: Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. • HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run. • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
@@ -114,7 +114,7 @@ The following tables describe baseline protections, plus protections for improve
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
-| Protection for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**: • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections need to be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code
**Security benefits**: • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**: • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
+| Protections for Improved Security | Description | Security Benefits
+|---|---|---|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**: • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. • UEFI runtime service must meet these requirements: - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. - PE sections need to be page-aligned in memory (not required for in non-volatile storage). - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and executable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md
index 991d0010f2..ec3e0f5c91 100644
--- a/windows/access-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/access-protection/credential-guard/credential-guard-scripts.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md
index 82c1f6b546..6ce7661b47 100644
--- a/windows/access-protection/credential-guard/credential-guard.md
+++ b/windows/access-protection/credential-guard/credential-guard.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/credential-guard/images/credguard-gp.png b/windows/access-protection/credential-guard/images/credguard-gp.png
index 8c91b114df..827121f0fc 100644
Binary files a/windows/access-protection/credential-guard/images/credguard-gp.png and b/windows/access-protection/credential-guard/images/credguard-gp.png differ
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index c5c53ac5e6..1af667a83a 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
---
# Enterprise Certificate Pinning
diff --git a/windows/access-protection/hello-for-business/hello-and-password-changes.md b/windows/access-protection/hello-for-business/hello-and-password-changes.md
index 0a5b5a6d31..5e984f955e 100644
--- a/windows/access-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/access-protection/hello-for-business/hello-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
# Windows Hello and password changes
diff --git a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c458afafc8..7fbfa154b0 100644
--- a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
index 9b673f825b..d9f542ffd7 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index 6949f44b67..0692e099e7 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 9f6d582108..80a40bc364 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 6be146c5fd..8226e365c6 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index cfee0ee064..90ae7fc730 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
index ea92c7c3bd..c3054a28fa 100644
--- a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
@@ -54,9 +54,9 @@ Clients need to trust domain controllers and the best way to do this is to ensur
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
-By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template.
+By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
@@ -73,7 +73,7 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
-Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
@@ -90,7 +90,7 @@ The certificate template is configured to supersede all the certificate template
Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
@@ -150,7 +150,7 @@ Domain controllers automatically request a certificate from the domain controlle
### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
-Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
@@ -194,4 +194,4 @@ Use the event logs to monitor certificate enrollment and archive. Review the co
2. Validate and Configure Public Key Infrastructure (*You are here*)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
index 3c35dfff7f..3e3dd9f272 100644
--- a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md
index e58f3a1e6f..c11406fb24 100644
--- a/windows/access-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
index ee01d1173d..20c0c5cc2a 100644
--- a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/hello-event-300.md b/windows/access-protection/hello-for-business/hello-event-300.md
index 3d94345736..1b894d9da4 100644
--- a/windows/access-protection/hello-for-business/hello-event-300.md
+++ b/windows/access-protection/hello-for-business/hello-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
index 1e42ccaded..c5d6ce9420 100644
--- a/windows/access-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/access-protection/hello-for-business/hello-how-it-works.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
# How Windows Hello for Business works
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md
index 89c2110b38..6bc13714ae 100644
--- a/windows/access-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/access-protection/hello-for-business/hello-identity-verification.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/07/2017
---
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
index 8ef71c6d85..6d8b9b37a2 100644
--- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/hello-overview.md b/windows/access-protection/hello-for-business/hello-overview.md
index 1684f8f6cf..3aa57fa4e5 100644
--- a/windows/access-protection/hello-for-business/hello-overview.md
+++ b/windows/access-protection/hello-for-business/hello-overview.md
@@ -1,13 +1,13 @@
---
title: Windows Hello for Business (Windows 10)
-description: An overview of Winodws Hello for Business
+description: An overview of Windows Hello for Business
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Hello for Business Overview
diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md
index 3ae2518616..84a8935184 100644
--- a/windows/access-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/access-protection/hello-for-business/hello-planning-guide.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
---
# Planning a Windows Hello for Business Deployment
diff --git a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
index eaa96377ed..c0ac1449b3 100644
--- a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 959f2a6830..d3f89032e3 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md
index d6542a7d8f..e99fabcb82 100644
--- a/windows/access-protection/hello-for-business/toc.md
+++ b/windows/access-protection/hello-for-business/toc.md
@@ -1,6 +1,6 @@
# [Windows Hello for Business](hello-identity-verification.md)
-## [Winodws Hello for Business Overview](hello-overview.md)
+## [Windows Hello for Business Overview](hello-overview.md)
## [How Windows Hello for Business works](hello-how-it-works.md)
## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
index c6d37fa5e8..233a60e8e8 100644
--- a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install digital certificates on Windows 10 Mobile
diff --git a/windows/access-protection/user-account-control/user-account-control-overview.md b/windows/access-protection/user-account-control/user-account-control-overview.md
index a273e12688..15a9a0a383 100644
--- a/windows/access-protection/user-account-control/user-account-control-overview.md
+++ b/windows/access-protection/user-account-control/user-account-control-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/access-protection/vpn/vpn-authentication.md b/windows/access-protection/vpn/vpn-authentication.md
index fa0b7a5592..89140757bf 100644
--- a/windows/access-protection/vpn/vpn-authentication.md
+++ b/windows/access-protection/vpn/vpn-authentication.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN authentication options
diff --git a/windows/access-protection/vpn/vpn-auto-trigger-profile.md b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
index dbbe91c8cb..497918050e 100644
--- a/windows/access-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN auto-triggered profile options
diff --git a/windows/access-protection/vpn/vpn-conditional-access.md b/windows/access-protection/vpn/vpn-conditional-access.md
index 073b24b8fd..1bbcc1daef 100644
--- a/windows/access-protection/vpn/vpn-conditional-access.md
+++ b/windows/access-protection/vpn/vpn-conditional-access.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN and conditional access
diff --git a/windows/access-protection/vpn/vpn-connection-type.md b/windows/access-protection/vpn/vpn-connection-type.md
index 39f933d548..2896f7a271 100644
--- a/windows/access-protection/vpn/vpn-connection-type.md
+++ b/windows/access-protection/vpn/vpn-connection-type.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN connection types
diff --git a/windows/access-protection/vpn/vpn-guide.md b/windows/access-protection/vpn/vpn-guide.md
index 138b74295c..f90e404b12 100644
--- a/windows/access-protection/vpn/vpn-guide.md
+++ b/windows/access-protection/vpn/vpn-guide.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows 10 VPN technical guide
diff --git a/windows/access-protection/vpn/vpn-name-resolution.md b/windows/access-protection/vpn/vpn-name-resolution.md
index 1a40cd73b6..b9c5a697f2 100644
--- a/windows/access-protection/vpn/vpn-name-resolution.md
+++ b/windows/access-protection/vpn/vpn-name-resolution.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN name resolution
diff --git a/windows/access-protection/vpn/vpn-profile-options.md b/windows/access-protection/vpn/vpn-profile-options.md
index 58f005e2be..2caa8c2493 100644
--- a/windows/access-protection/vpn/vpn-profile-options.md
+++ b/windows/access-protection/vpn/vpn-profile-options.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN profile options
diff --git a/windows/access-protection/vpn/vpn-routing.md b/windows/access-protection/vpn/vpn-routing.md
index 597d5cad4a..3796a83687 100644
--- a/windows/access-protection/vpn/vpn-routing.md
+++ b/windows/access-protection/vpn/vpn-routing.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN routing decisions
diff --git a/windows/access-protection/vpn/vpn-security-features.md b/windows/access-protection/vpn/vpn-security-features.md
index ed34d30dc0..cfc51f33ce 100644
--- a/windows/access-protection/vpn/vpn-security-features.md
+++ b/windows/access-protection/vpn/vpn-security-features.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# VPN security features
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 7f815bfe0e..5c764b532e 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -99,3 +99,6 @@
#### [Application Publishing and Client Interaction](app-v/appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+## [Service Host process refactoring](svchost-service-refactoring.md)
+## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
+## [Change history for Application management](change-history-for-application-management.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
new file mode 100644
index 0000000000..92e5039334
--- /dev/null
+++ b/windows/application-management/change-history-for-application-management.md
@@ -0,0 +1,23 @@
+---
+title: Change history for Configure Windows 10 (Windows 10)
+description: This topic lists changes to documentation for configuring Windows 10.
+keywords:
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jdeckerms
+---
+
+# Change history for Configure Windows 10
+
+This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## July 2017
+| New or changed topic | Description |
+| --- | --- |
+| [Service Host process refactoring](svchost-service-refactoring.md) | New |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
+
+
diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
new file mode 100644
index 0000000000..94540ed17d
--- /dev/null
+++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
@@ -0,0 +1,58 @@
+---
+title: Application upgrades on Windows 10 Mobile
+description: Learn how to deploy upgrades to applications running on Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/20/2017
+---
+# Deploy application upgrades on Windows 10 Mobile
+
+> Applies to: Windows 10
+
+When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence).
+
+There are two steps to deploy an app upgrade:
+
+1. [Define the supersedence](#define-app-supersedence) - this lets Configuration Manager know that the old version should be replaced by the new version.
+2. [Deploy the upgrade](#deploy-the-app-upgrade) to your users.
+
+The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Becasuse we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app.
+
+Before you can deploy the upgrade, make sure you import the new version of the app and distribute it to your manage.microsoft.com distribution point.
+
+
+
+## Define app supersedence
+
+1. In the Configuration Manager console, open the Software Library, and then find the new version of your app.
+ 
+
+2. Right-click the new version, and then click **Properties**.
+3. Click the **Supersedence** tab - there shouldn't be any supersedence rules yet. We'll add one next.
+ 
+
+4. Click **Add**, browse to the existing (older) version of the app that you're upgrading, and then click **OK**.
+5. Under **New Deployment Type** select the new version of the app. (When you imported the new version, it comes in as a new deployment type. If you're upgrading a Universal application, you'll see only one type here.)
+ 
+ > [!IMPORTANT]
+ > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version.
+
+6. Click **OK**.
+7. If you have other versions of the same app, repeate steps 4-6 for each version. Click **OK** when you're done.
+
+> [!NOTE]
+> Need to remove a supersedence? (Maybe the new version turned out to be flaky and you don't want users to get it yet.) On the **Supersedence** tab for the *new* version of the app, double-click the older version in the list of supersedence rules, and then change the **New Deployment Type** to **Do not replace**.
+
+## Deploy the app upgrade
+
+You're now ready to deploy the upgrade. On the **Home** tab in Configuration Manager, select the new version of the app, and then click **Deploy**, and follow the instructions in the wizard. When asked, set the **Purpose** to **Required**.
+
+You don't need to delete the deployment associated with the older version of the app. The status for that deployment will change to **Requirements not met** in the **Monitoring** view:
+
+
+
+If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
\ No newline at end of file
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index b7ce77366d..d6c32fbe93 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Windows 10 application management
@@ -13,10 +13,12 @@ localizationpriority: medium
**Applies to**
- Windows 10
-Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
| Topic | Description |
|---|---|
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
+| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
+| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile |
diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png
new file mode 100644
index 0000000000..8681e2fb39
Binary files /dev/null and b/windows/application-management/media/app-upgrade-cm-console.png differ
diff --git a/windows/application-management/media/app-upgrade-no-supersedence.png b/windows/application-management/media/app-upgrade-no-supersedence.png
new file mode 100644
index 0000000000..9a9bb9bb53
Binary files /dev/null and b/windows/application-management/media/app-upgrade-no-supersedence.png differ
diff --git a/windows/application-management/media/app-upgrade-old-version.png b/windows/application-management/media/app-upgrade-old-version.png
new file mode 100644
index 0000000000..e430be170e
Binary files /dev/null and b/windows/application-management/media/app-upgrade-old-version.png differ
diff --git a/windows/application-management/media/app-upgrade-supersede-deploy-type.png b/windows/application-management/media/app-upgrade-supersede-deploy-type.png
new file mode 100644
index 0000000000..24a45c5939
Binary files /dev/null and b/windows/application-management/media/app-upgrade-supersede-deploy-type.png differ
diff --git a/windows/application-management/media/svchost-grouped-processes.png b/windows/application-management/media/svchost-grouped-processes.png
new file mode 100644
index 0000000000..d85f8e8951
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-processes.png differ
diff --git a/windows/application-management/media/svchost-grouped-utilization.png b/windows/application-management/media/svchost-grouped-utilization.png
new file mode 100644
index 0000000000..cd46b0d4b4
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-utilization.png differ
diff --git a/windows/application-management/media/svchost-separated-processes.png b/windows/application-management/media/svchost-separated-processes.png
new file mode 100644
index 0000000000..83df0fe580
Binary files /dev/null and b/windows/application-management/media/svchost-separated-processes.png differ
diff --git a/windows/application-management/media/svchost-separated-utilization.png b/windows/application-management/media/svchost-separated-utilization.png
new file mode 100644
index 0000000000..5c5834cc44
Binary files /dev/null and b/windows/application-management/media/svchost-separated-utilization.png differ
diff --git a/windows/application-management/media/svchost-separation-disabled.png b/windows/application-management/media/svchost-separation-disabled.png
new file mode 100644
index 0000000000..5e0e57da92
Binary files /dev/null and b/windows/application-management/media/svchost-separation-disabled.png differ
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
new file mode 100644
index 0000000000..e2f00263db
--- /dev/null
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -0,0 +1,91 @@
+---
+title: Service Host service refactoring in Windows 10 version 1703
+description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/19/2017
+---
+
+# Changes to Service Host grouping in Windows 10
+
+> Applies to: Windows 10
+
+The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance does not affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
+
+* Local Service
+* Local Service No Network
+* Local Service Network Restricted
+* Local System
+* Local System Network Restricted
+* Network Service
+
+## Separating SvcHost services
+
+Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process.
+
+Benefits of this design change include:
+
+* Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
+* Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
+* Increased security by providing additional inter-service isolation
+* Increased scalability by allowing per-service settings and privileges
+* Improved resource management through per-service CPU, I/O and memory management and increase clear telemetry (report CPU, I/O and network usage per service).
+
+>**Try This**
+>
+> To see the refactoring behavior, create a Windows 10 version 1703 VM and configure the memory settings as follows:
+> 1. To see grouped processes, set the RAM to 3484 MB or less. Restart the VM and then open Task Manager.
+> 2. To see separated processes, set the RAM to 3486 MB or greater. Restart the VM and then open Task Manager.
+
+
+Refactoring also makes it easier to view running processes in Task Manager. You can look at Task Manager and know exactly which service is using what resources, without having to expand many separate host groups.
+
+For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
+
+
+
+Compare that to the same view of running processes in Windows 10 version 1703:
+
+
+
+
+
+
+## Exceptions
+Some services will continue to be grouped on PCs running with 3.5GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
+
+If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+The default value of **1** prevents the service from being split.
+
+For example, this is the registry key configuration for BFE:
+
+
+## Memory footprint
+
+Be aware that separating services increases the total number of SvcHost instances, which increases memory utlization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.)
+
+Consider the following:
+
+
+|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
+|--------------------------------------- | ------------------------------------------ |
+| | |
+
+> [!NOTE]
+> The above represents the peak observed values.
+
+The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services.
+
+> **Try This**
+>
+>To determine the impact of splitting hosted services on a Windows 10 version 1703 PC, run the following Windows PowerShell cmdlet, before and after toggling the memory settings:
+>
+> ```powershell
+> Get-Process SvcHost | Group-Object -Property ProcessName | Format-Table Name, Count, @{n='Mem (KB)';e={'{0:N0}' -f (($_.Group|Measure-Object WorkingSet -Sum).Sum / 1KB)};a='right'} -AutoSize
+>```
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 60a5ca32e6..4c8d8e4316 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Administrative Tools in Windows 10
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index e3193c1854..457e51889a 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerMS
ms.author: jdecker
ms.date: 06/13/2017
@@ -16,6 +16,12 @@ ms.date: 06/13/2017
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Group Policy settings that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | Added that Start layout policy setting can be applied to Windows 10 Pro, version 1703 |
+
## June 2017
| New or changed topic | Description |
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index cb6ad29962..43db69d30f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Connect to remote Azure Active Directory-joined PC
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index ecb2e27c4a..ff39d3cc04 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: brianlic-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
@@ -23,9 +23,9 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Do not require CTRL+ALT+DEL** combined with**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon andComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
-| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight |
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
-| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 226c9237e7..68debeba89 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Client management
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 69f6f73aa0..3536562d23 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index b5e9a331ae..78ca7c8d39 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage corporate devices
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 1607cad11f..396ee16956 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage Windows 10 in your organization - transitioning to modern management
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e249f70aa6..e9a60b1ed6 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -17,8 +17,7 @@ ms.date: 06/13/2017
- Windows 10
-> [!NOTE]
-> When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update.
+
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index f623ae9b78..f586df7407 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -194,6 +194,7 @@
#### [DeviceInstallation](policy-csp-deviceinstallation.md)
#### [DeviceLock](policy-csp-devicelock.md)
#### [Display](policy-csp-display.md)
+#### [Education](policy-csp-education.md)
#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
#### [ErrorReporting](policy-csp-errorreporting.md)
#### [EventLogService](policy-csp-eventlogservice.md)
@@ -202,6 +203,7 @@
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)
+#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index e1097181a3..7564c89e41 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
---
# AppLocker CSP
@@ -156,6 +156,20 @@ Each of the previous nodes contains one or more of the following leaf nodes:
Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.
Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.
For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.
Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.
+
An alternative to using certutil would be to use the following PowerShell invocation:
If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.
Data type is string. Supported operations are Get, Add, Delete, and Replace.
@@ -777,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
-## Whitelist example
+## Whitelist examples
+The following example disables the calendar application.
+
+``` syntax
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+ <AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/></Deny></AppPolicy>
+
+
+
+
+
+
+```
+
+The following example blocks the usage of the map application.
+
+``` syntax
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy
+
+
+ chr
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+
+ <FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" />
+ </Conditions>
+ </FilePublisherRule>
+
+ </RuleCollection>
+
+
+
+
+
+
+```
The following example for Windows 10 Mobile denies all apps and allows the following apps:
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 8c6466d2d4..59f79b2a6c 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
---
# AssignedAccess CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
@@ -19,8 +21,6 @@ For step-by-step guide for setting up devices to run in kiosk mode, see [Set up
> **Note** The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
-
-
The following diagram shows the AssignedAccess configuration service provider in tree format
@@ -36,21 +36,29 @@ In Windows 10, version 1607, you can use a provisioned app to configure the kio
Here's an example:
``` syntax
-{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
+{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note** The domain name can be optional if the user name is unique across the system.
-
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
+
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
-## Examples
+**AssignedAccess/Configuration**
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Enterprises can use this to easily configure and manage the curated lockdown experience.
+
+Supported operations are Add, Get, Delete, and Replace.
+
+Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
+
+## Examples
KioskModeApp Add
@@ -132,11 +140,319 @@ KioskModeApp Replace
```
+## AssignedAccessConfiguration XSD
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+## Overview of the AssignedAccessConfiguration XML
+
+Let's start by looking at the basic structure of the XML file.
+
+- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.
+- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id.
+- A profile has no effect if it’s not associated to a user account.
+A profile node has below information:
+- Id: a GUID attribute to uniquely identify the Profile.
+- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.
+- StartLayout: a node for startlayout policy xml.
+- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.
+
+You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml.
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+### Allowed apps
+Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.
+- For Windows apps, you need to provide the App User Model ID (AUMID).
+ - [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or
+ - Get the AUMID via the [Start Layout XML](#start-layout).
+- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
+Here are the predefined assigned access AppLocker rules:
+**For UWP apps**
+
+1. Default rule is to allow all users to launch the signed package apps.
+2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.
+
+> [!Note]
+> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.
+
+**For Win32 apps**
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.
+3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.
+
+The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+```
+
+### Start layout
+
+Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.
+
+The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.
+
+A few things to note here:
+
+- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.
+- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.
+- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.
+
+The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.
+
+```syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+```
+
+For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
+
+### Taskbar
+
+Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
+The following example exposes the taskbar to the end user:
+
+``` syntax
+
+```
+The following example hides the taskbar:
+
+``` syntax
+
+```
+
+> [!Note]
+> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.
+
+### Profiles and configs
+
+In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
+
+``` syntax
+
+ …
+
+```
+
+Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.
+
+``` syntax
+
+
+ MultiAppKioskUser
+
+
+
+```
+
+> [!Note]
+> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.
+> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
+
+### Example AssignedAccessConfiguration XML
+
+``` syntax
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+```
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index f3cb07376f..a5f029da79 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
---
# AssignedAccess DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@@ -20,13 +22,15 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
``` syntax
]>
+ "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+ [
+
+]>
1.2
@@ -46,25 +50,52 @@ The XML below is the current version for this CSP.
-
+ com.microsoft/1.1/MDM/AssignedAccessKioskModeApp
+
-
- This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app.
+ This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
-This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.
+This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Configuration
+
+
+
+
+
+
+
+ This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 1c96dd8f84..82a438d517 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -34,6 +34,11 @@ The following diagram shows the BitLocker configuration service provider in tree
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
+- 0 (default) – Storage cards do not need to be encrypted.
+- 1 – Require Storage cards to be encrypted.
+
+
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
+
If you want to disable this policy use the following SyncML:
``` syntax
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 392f0820ef..7e2371d151 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -183,14 +183,15 @@ The following diagram shows the CM\_CellularEntries configuration service provid
For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
**PurposeGroups**
-
Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
+
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
-- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10)
-- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10)
+- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
+- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
+- Application - 52D7654A-00A8-4140-806C-087D66705306
## Additional information
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index f5bba14384..f619993de2 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -840,8 +840,8 @@ Footnotes:
2
2
-
-
+
3
+
3
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 48dbeed8c0..9c71c56671 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -30,11 +30,22 @@ Interior node.
**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
+**Provider**
+Added in Windows 10, version 1709. Interior node.
+**Provider/_ProviderID_**
+Added in Windows 10, version 1709. Provider ID of the configuration source.
-
+**Provider/_ProviderID_/ConfigInfo**
+Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace.
+
+**Provider/_ProviderID_/EnrollmentInfo**
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace.
-
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index f45881a241..a1f646623e 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
---
# DeviceManageability DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
``` syntax
@@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.0/MDM/DeviceManageability
+ com.microsoft/1.1/MDM/DeviceManageability
@@ -90,9 +93,105 @@ The XML below is the current version for this CSP.
+
+ Provider
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Provider
+
+
+
+
+
+
+
+
+
+
+
+
+ Provider ID String of the Configuration Source
+
+
+
+
+
+
+
+
+
+ ProviderID
+
+
+
+
+
+ ConfigInfo
+
+
+
+
+
+
+
+ Configuration Info string value set by the config source. Recommended to be used during sync session.
+
+
+
+
+
+
+
+
+
+ ConfigInfo
+
+ text/plain
+
+
+
+
+ EnrollmentInfo
+
+
+
+
+
+
+
+ Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.
+
+
+
+
+
+
+
+
+
+ EnrollmentInfo
+
+ text/plain
+
+
+
+
+
-
```
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 9abf518c45..2d8c6f0b32 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -12,6 +12,8 @@ ms.date: 06/19/2017
# DeviceStatus CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@@ -113,32 +115,32 @@ Boolean value that indicates compliance with the enterprise encryption policy. T
Supported operation is Get.
**DeviceStatus/TPM**
-Added in , version 1607. Node for the TPM query.
+Added in Windows, version 1607. Node for the TPM query.
Supported operation is Get.
**DeviceStatus/TPM/SpecificationVersion**
-Added in , version 1607. String that specifies the specification version.
+Added in Windows, version 1607. String that specifies the specification version.
Supported operation is Get.
**DeviceStatus/OS**
-Added in , version 1607. Node for the OS query.
+Added in Windows, version 1607. Node for the OS query.
Supported operation is Get.
**DeviceStatus/OS/Edition**
-Added in , version 1607. String that specifies the OS edition.
+Added in Windows, version 1607. String that specifies the OS edition.
Supported operation is Get.
**DeviceStatus/Antivirus**
-Added in , version 1607. Node for the antivirus query.
+Added in Windows, version 1607. Node for the antivirus query.
Supported operation is Get.
**DeviceStatus/Antivirus/SignatureStatus**
-Added in , version 1607. Integer that specifies the status of the antivirus signature.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
@@ -149,7 +151,7 @@ Valid values:
Supported operation is Get.
**DeviceStatus/Antivirus/Status**
-Added in , version 1607. Integer that specifies the status of the antivirus.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus.
Valid values:
@@ -162,27 +164,27 @@ Valid values:
Supported operation is Get.
**DeviceStatus/Antispyware**
-Added in , version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the antispyware query.
Supported operation is Get.
**DeviceStatus/Antispyware/SignatureStatus**
-Added in , version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
Supported operation is Get.
**DeviceStatus/Antispyware/Status**
-Added in , version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware.
Supported operation is Get.
**DeviceStatus/Firewall**
-Added in , version 1607. Node for the firewall query.
+Added in Windows, version 1607. Node for the firewall query.
Supported operation is Get.
**DeviceStatus/Firewall/Status**
-Added in , version 1607. Integer that specifies the status of the firewall.
+Added in Windows, version 1607. Integer that specifies the status of the firewall.
Valid values:
@@ -195,43 +197,84 @@ Valid values:
Supported operation is Get.
**DeviceStatus/UAC**
-Added in , version 1607. Node for the UAC query.
+Added in Windows, version 1607. Node for the UAC query.
Supported operation is Get.
**DeviceStatus/UAC/Status**
-Added in , version 1607. Integer that specifies the status of the UAC.
+Added in Windows, version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
**DeviceStatus/Battery**
-Added in , version 1607. Node for the battery query.
+Added in Windows, version 1607. Node for the battery query.
Supported operation is Get.
**DeviceStatus/Battery/Status**
-Added in , version 1607. Integer that specifies the status of the battery
+Added in Windows, version 1607. Integer that specifies the status of the battery
Supported operation is Get.
**DeviceStatus/Battery/EstimatedChargeRemaining**
-Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
**DeviceStatus/Battery/EstimatedRuntime**
-Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
-
-
-
+**DeviceStatus/DomainName**
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
+Supported operation is Get.
+
+**DeviceStatus/DeviceGuard**
+Added in Windows, version 1709. Node for Device Guard query.
+
+Supported operation is Get.
+
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
+Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
+
+- 0x0: System meets hardware configuration requirements
+- 0x1: SecureBoot required
+- 0x2: DMA Protection required
+- 0x4: HyperV not supported for Guest VM
+- 0x8: HyperV feature is not available
+
+Supported operation is Get.
+
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
+Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
+- 0 - Running
+- 1 - Reboot required
+- 2 - 64 bit architecture required
+- 3 - not licensed
+- 4 - not configured
+- 5 - System doesn't meet hardware requirements
+- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+
+
+Supported operation is Get.
+
+**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
+Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
+
+- 0 - Running
+- 1 - Reboot required
+- 2 - Not licensed for Credential Guard
+- 3 - Not configured
+- 4 - VBS not running
+
+
+Supported operation is Get.
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 9fc150cf5b..b9e8608716 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/24/2017
---
# DeviceStatus DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
``` syntax
@@ -46,7 +48,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/DeviceStatus
+ com.microsoft/1.4/MDM/DeviceStatus
@@ -761,16 +763,108 @@ The XML below is the current version for this CSP.
+
+ DomainName
+
+
+
+
+ Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+
+
+ DomainName
+
+ text/plain
+
+
+
+
+ DeviceGuard
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ VirtualizationBasedSecurityHwReq
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ VirtualizationBasedSecurityStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LsaCfgCredGuardStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
-```
-
-
-
-
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 95722f7b40..c79f4f55e9 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/09/2017
---
# EnterpriseDataProtection CSP
@@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
- 0 (default) – Off / No protection (decrypts previously protected data).
- 1 – Silent mode (encrypt and audit only).
-- 2 – Override mode (encrypt, prompt, and audit).
-- 3 – Block mode (encrypt, block, and audit).
+- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
+- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
Supported operations are Add, Get, Replace and Delete. Value type is integer.
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index a1520e20ad..ea69e071b5 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
-> **Note** The HTTP server response must not be chunked; it must be sent as one message.
+> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
@@ -297,7 +297,7 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
-> **Note** The HTTP server response must not be chunked; it must be sent as one message.
+> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
@@ -482,7 +482,7 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
-> **Note** The HTTP server response must not be chunked; it must be sent as one message.
+> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index 14d49cdd89..df8aa48b95 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png
index e8364c9bd7..136c240862 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png and b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
index 55b12f6c7f..76c746d95f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png
index 8ef11aeb25..1e31e34b6e 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png and b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index fd602713a7..faf1bef99e 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/12/2017
+ms.date: 08/10/2017
---
# What's new in MDM enrollment and management
@@ -949,13 +949,62 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added DeviceTunnel profile in Windows 10, version 1709.
+
[DeviceStatus CSP](devicestatus-csp.md)
+
Added the following settings in Windows 10, version 1709:
@@ -970,6 +1019,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Defender/EnableNetworkProtection
Defender/GuardedFoldersAllowedApplications
Defender/GuardedFoldersList
+
Education/DefaultPrinterName
+
Education/PreventAddingNewPrinters
+
Education/PrinterNames
+
Security/ClearTPMIfNotReady
Update/ScheduledInstallEveryWeek
Update/ScheduledInstallFirstWeek
Update/ScheduledInstallFourthWeek
@@ -1259,6 +1312,80 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### August 2017
+
+
Updated the Settings/EDPEnforcementLevel values to the following:
+
+
0 (default) – Off / No protection (decrypts previously protected data).
+
1 – Silent mode (encrypt and audit only).
+
2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
+
3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
+
+
+
+
[AppLocker CSP](applocker-csp.md)
+
Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.
+
+
+
+
### July 2017
@@ -1290,6 +1417,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Added the following new policies for Windows 10, version 1709:
Changed PasswordRotationPeriod to PasswordRotationEnabled.
+
@@ -2569,10 +2722,16 @@ No. Only one MDM is allowed.
5. Set quota to unlimited.
-
-
+**What is dmwappushsvc?**
+
+Entry | Description
+--------------- | --------------------
+What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. |
+How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 9f6c24805f..23d468a09d 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/07/2017
+ms.date: 08/04/2017
---
# Policy CSP
@@ -77,7 +77,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
-
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md).
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -87,12 +87,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/****_AppName_**
-
Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file.
+
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy**
-
Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported.
+
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Supported operations are Add, Get, and Delete.
@@ -102,7 +102,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operations are Add and Get. Does not support Delete.
**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference**
-
Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported.
+
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Supported operations are Add, Get, and Delete.
@@ -256,7 +256,7 @@ The following diagram shows the Policy configuration service provider in tree fo
AppVirtualization/PublishingAllowServer5
### Kerberos policies
@@ -1755,6 +1778,83 @@ The following diagram shows the Policy configuration service provider in tree fo
+### LocalPoliciesSecurityOptions policies
+
+
-## ADMX backed policies
+## ADMX-backed policies
- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
@@ -2833,7 +2935,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
-- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient_ssl)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
@@ -2850,12 +2952,12 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
-- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#None)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#None)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#None)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#None)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#None)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
@@ -2878,13 +2980,13 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
-- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
-- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
@@ -2896,36 +2998,36 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
-- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
-- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols)
- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
-- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
-- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
-- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
-- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
-- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
@@ -2935,42 +3037,39 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
-- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
-- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneJavaPermissionsWRONG1](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneJavaPermissionsWRONG2](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone)
- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
@@ -2980,7 +3079,10 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
@@ -2991,9 +3093,9 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
@@ -3005,7 +3107,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
@@ -3028,7 +3130,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
@@ -3040,7 +3142,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
@@ -3052,64 +3154,64 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneWRONG](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneWRONG3](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneWRONG4](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/RestrictedSitesZoneWRONG5](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+- [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter)
+- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
-- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
@@ -3119,11 +3221,13 @@ The following diagram shows the Policy configuration service provider in tree fo
- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols)
- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/TrustedSitesZoneWRONG1](./policy-csp-internetexplorer.md#None)
-- [InternetExplorer/TrustedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
@@ -3139,7 +3243,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
-- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions_user)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
@@ -3151,30 +3255,30 @@ The following diagram shows the Policy configuration service provider in tree fo
- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
-- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#None)
-- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
-- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#None)
-- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#None)
-- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#None)
-- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#None)
-- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#None)
-- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#None)
-- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#None)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
@@ -3202,13 +3306,18 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
- [Camera/AllowCamera](#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
- [Connectivity/AllowNFC](#connectivity-allownfc)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
@@ -3313,7 +3422,8 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
- [Camera/AllowCamera](#camera-allowcamera)
-- [ConfigOperations/ADMXInstall](#None)
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
+- [ConfigOperations/ADMXInstall](#configoperations-admxinstall)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
@@ -3361,7 +3471,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
-- [DeviceGuard/AllowKernelControlFlowGuard](#None)
+- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@@ -3386,9 +3496,9 @@ The following diagram shows the Policy configuration service provider in tree fo
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
-- [TimeLanguageSettings/Set24HourClock](#None)
-- [TimeLanguageSettings/SetCountry](#None)
-- [TimeLanguageSettings/SetLanguage](#None)
+- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)
+- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)
+- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
@@ -3412,6 +3522,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Browser/AllowBrowser](#browser-allowbrowser)
- [Camera/AllowCamera](#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
@@ -3480,196 +3591,6 @@ Do not allow NFC.
```
-## Start/StartLayout Examples
-
-### Generating a layout
-
-The easiest way to generate a layout is to set the Start layout on a PC, and then run the PowerShell cmdlet **Export-StartLayout**.
-
-` > Export-StartLayout -path c:\users\<`*you*`>\desktop\startlayout.xml`
-
-Sample layout generated using the cmdlet
-
-``` syntax
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-### Understanding the schema
-
-In the previous example, the **DefaultLayoutOverride** element is used to specify a layout that overrides the default Start layout. It contains a **StartLayoutCollection**. **StartLayoutCollection** contains a **StartLayout**, which is made up of a collection of **Groups** which are, in turn, made up of either **Tiles** or **DesktopApplicationTiles**.
-
-### Manually creating a layout
-
-For **Tile** elements, the **AppUserModelID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-For **DesktopApplicationTile** elements, the **DesktopApplicationID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-### Secondary tiles
-
-Creating a layout requires some special notes about secondary tiles. In general, the simplest way to correctly specify a **SecondaryTile** is to generate it using the **Export-StartLayout** PowerShell cmdlet as specified above.
-
-> [!NOTE]
-> Apps that don't encode enough information in their secondary tiles may not be able to be used effectively in the **StartLayout** policy.
-
-
-### Generic webpage shortcuts
-
-The simplest mechanism to create a link to a webpage is to use a URL file. This can be manually added to the layout file by specifying the URL in the **DesktopApplicationID** attribute.
-
-``` syntax
-
-```
-
-### Microsoft Edge secondary tiles
-
-These can be generated by using the **Export-StartLayout** PowerShell cmdlet as specified above. The following example shows a generated secondary tile:
-
-``` syntax
-
-```
-
-### Microsoft Edge assets example
-
-An example XML string value for the **[Start/ImportEdgeAssets](#start-importedgeassets)** policy.
-
-``` syntax
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=
-
-
-
-
-
-
-
- iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=
-
-
-
-
-```
-
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 125546ca2b..eb8cd4abc7 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - AboveLock
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 8e3cbf0a9f..53ea6582a5 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Accounts
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index e2cb16c774..e67542f66b 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - ActiveXControls
@@ -35,11 +36,11 @@ author: nickbrower
-
-
+
+
@@ -54,10 +55,18 @@ If you disable or do not configure this policy setting, ActiveX controls prompt
Note: Wild card characters cannot be used when specifying the host URLs.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Approved Installation Sites for ActiveX Controls*
- GP name: *ApprovedActiveXInstallSites*
+- GP path: *Windows Components/ActiveX Installer Service*
- GP ADMX file name: *ActiveXInstallService.admx*
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index bf34e7343f..11297a57df 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - ApplicationDefaults
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 805e786817..5d72ba16b5 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - ApplicationManagement
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index 3aaaa8966e..4720adffc1 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - AppVirtualization
@@ -35,11 +36,11 @@ author: nickbrower
-
-
+
+
@@ -48,10 +49,18 @@ author: nickbrower
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable App-V Client*
- GP name: *EnableAppV*
+- GP path: *Administrative Templates/System/App-V*
- GP ADMX file name: *appv.admx*
@@ -73,11 +82,11 @@ ADMX Info:
-
-
+
+
@@ -86,10 +95,18 @@ ADMX Info:
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
+- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
@@ -111,11 +128,11 @@ ADMX Info:
-
-
+
+
@@ -124,10 +141,18 @@ ADMX Info:
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
+- GP path: *Administrative Templates/System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
@@ -149,11 +174,11 @@ ADMX Info:
-
-
+
+
@@ -162,10 +187,18 @@ ADMX Info:
Enables scripts defined in the package manifest of configuration files that should run.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
+- GP path: *Administrative Templates/System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
@@ -187,11 +220,11 @@ ADMX Info:
-
-
+
+
@@ -200,10 +233,18 @@ ADMX Info:
Enables a UX to display to the user when a publishing refresh is performed on the client.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
@@ -225,11 +266,11 @@ ADMX Info:
-
-
+
+
@@ -248,10 +289,18 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
+- GP path: *Administrative Templates/System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
@@ -273,11 +322,11 @@ ADMX Info:
-
-
+
+
@@ -286,10 +335,18 @@ ADMX Info:
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
+- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
@@ -311,11 +368,11 @@ ADMX Info:
-
-
+
+
@@ -324,10 +381,18 @@ ADMX Info:
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
+- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
@@ -349,11 +414,11 @@ ADMX Info:
-
-
+
+
@@ -362,10 +427,18 @@ ADMX Info:
Specifies how new packages should be loaded automatically by App-V on a specific computer.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -387,11 +460,11 @@ ADMX Info:
-
-
+
+
@@ -400,10 +473,18 @@ ADMX Info:
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
+- GP path: *Administrative Templates/System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
@@ -425,11 +506,11 @@ ADMX Info:
-
-
+
+
@@ -438,10 +519,18 @@ ADMX Info:
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Integration Root User*
- GP name: *Integration_Root_User*
+- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
@@ -463,11 +552,11 @@ ADMX Info:
-
-
+
+
@@ -476,10 +565,18 @@ ADMX Info:
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Integration Root Global*
- GP name: *Integration_Root_Global*
+- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
@@ -501,11 +598,11 @@ ADMX Info:
-
-
+
+
@@ -532,10 +629,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
@@ -557,11 +662,11 @@ ADMX Info:
-
-
+
+
@@ -588,10 +693,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
@@ -613,11 +726,11 @@ ADMX Info:
-
-
+
+
@@ -644,10 +757,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
@@ -669,11 +790,11 @@ ADMX Info:
-
-
+
+
@@ -700,10 +821,18 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
@@ -725,11 +854,11 @@ ADMX Info:
-
-
+
+
@@ -756,16 +885,24 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
+- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
-**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
+**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
@@ -781,11 +918,11 @@ ADMX Info:
-
-
+
+
@@ -794,10 +931,18 @@ ADMX Info:
Specifies the path to a valid certificate in the certificate store.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -819,11 +964,11 @@ ADMX Info:
-
-
+
+
@@ -832,10 +977,18 @@ ADMX Info:
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -857,11 +1010,11 @@ ADMX Info:
-
-
+
+
@@ -870,10 +1023,18 @@ ADMX Info:
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Location Provider*
- GP name: *Streaming_Location_Provider*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -895,11 +1056,11 @@ ADMX Info:
-
-
+
+
@@ -908,10 +1069,18 @@ ADMX Info:
Specifies directory where all new applications and updates will be installed.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -933,11 +1102,11 @@ ADMX Info:
-
-
+
+
@@ -946,10 +1115,18 @@ ADMX Info:
Overrides source location for downloading package content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -971,11 +1148,11 @@ ADMX Info:
-
-
+
+
@@ -984,10 +1161,18 @@ ADMX Info:
Specifies the number of seconds between attempts to reestablish a dropped session.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -1009,11 +1194,11 @@ ADMX Info:
-
-
+
+
@@ -1022,10 +1207,18 @@ ADMX Info:
Specifies the number of times to retry a dropped session.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -1047,11 +1240,11 @@ ADMX Info:
-
-
+
+
@@ -1060,10 +1253,18 @@ ADMX Info:
Specifies that streamed package contents will be not be saved to the local hard disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -1085,11 +1286,11 @@ ADMX Info:
-
-
+
+
@@ -1098,10 +1299,18 @@ ADMX Info:
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -1123,11 +1332,11 @@ ADMX Info:
-
-
+
+
@@ -1136,10 +1345,18 @@ ADMX Info:
Verifies Server certificate revocation status before streaming using HTTPS.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
+- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
@@ -1161,11 +1378,11 @@ ADMX Info:
-
-
+
+
@@ -1174,10 +1391,18 @@ ADMX Info:
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
+- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 16d1409a9a..0d4c2f7055 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - AttachmentManager
@@ -35,11 +36,11 @@ author: nickbrower
-
-
+
+
@@ -54,10 +55,18 @@ If you disable this policy setting, Windows marks file attachments with their zo
If you do not configure this policy setting, Windows marks file attachments with their zone information.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not preserve zone information in file attachments*
- GP name: *AM_MarkZoneOnSavedAtttachments*
+- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
@@ -79,11 +88,11 @@ ADMX Info:
-
-
+
+
@@ -98,10 +107,18 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
If you do not configure this policy setting, Windows hides the check box and Unblock button.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Hide mechanisms to remove zone information*
- GP name: *AM_RemoveZoneInfo*
+- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
@@ -123,11 +140,11 @@ ADMX Info:
-
-
+
+
@@ -142,10 +159,18 @@ If you disable this policy setting, Windows does not call the registered antivir
If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Notify antivirus programs when opening attachments*
- GP name: *AM_CallIOfficeAntiVirus*
+- GP path: *Windows Components/Attachment Manager*
- GP ADMX file name: *AttachmentManager.admx*
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index a3abf1e90d..2b74810ed1 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Authentication
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 94426589fc..8198ac815b 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Autoplay
@@ -33,13 +34,13 @@ author: nickbrower
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -52,10 +53,18 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like
If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disallow Autoplay for non-volume devices*
- GP name: *NoAutoplayfornonVolume*
+- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
@@ -75,13 +84,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -103,10 +112,18 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set the default behavior for AutoRun*
- GP name: *NoAutorun*
+- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
@@ -126,13 +143,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -155,10 +172,18 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off Autoplay*
- GP name: *Autorun*
+- GP path: *Windows Components/AutoPlay Policies*
- GP ADMX file name: *AutoPlay.admx*
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index c4a361dbf8..70e825b78a 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Bitlocker
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index c4f2efa69b..69445abb1a 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Bluetooth
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index ac21e5988b..f0d50ff7ac 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Browser
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 052c9a0190..5235998a62 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Camera
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 2eacb78000..0afb973431 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Cellular
@@ -19,14 +20,45 @@ author: nickbrower
## Cellular policies
-**Cellular/ShowAppCellularAccessUI**
+**Cellular/ShowAppCellularAccessUI**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set Per-App Cellular Access UI Visibility*
- GP name: *ShowAppCellularAccessUI*
+- GP path: *Network/WWAN Service/WWAN UI Settings*
- GP ADMX file name: *wwansvc.admx*
@@ -41,3 +73,21 @@ Footnote:
+
+## Cellular policies that can be set using Exchange Active Sync (EAS)
+
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
+
+
+
+## Cellular policies supported by IoT Core
+
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
+
+
+
+## Cellular policies supported by Microsoft Surface Hub
+
+- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
+
+
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 76654d609a..d766ef3c9d 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Connectivity
@@ -349,10 +350,40 @@ author: nickbrower
-**Connectivity/DiablePrintingOverHTTP**
+**Connectivity/DiablePrintingOverHTTP**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off printing over HTTP*
@@ -362,10 +393,40 @@ ADMX Info:
-**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off downloading of print drivers over HTTP*
@@ -375,10 +436,40 @@ ADMX Info:
-**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
@@ -404,11 +495,11 @@ ADMX Info:
-
-
+
+
@@ -419,23 +510,62 @@ This policy setting configures secure access to UNC paths.
If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
+- GP path: *Network/Network Provider*
- GP ADMX file name: *networkprovider.admx*
-**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
+- GP path: *Network/Network Connections*
- GP ADMX file name: *NetworkConnections.admx*
@@ -473,7 +603,11 @@ Footnote:
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index cc99642fbc..afa69b9477 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - CredentialProviders
@@ -35,11 +36,11 @@ author: nickbrower
-
-
+
+
@@ -56,6 +57,13 @@ Note: The user's domain password will be cached in the system vault when using t
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on convenience PIN sign-in*
@@ -81,11 +89,11 @@ ADMX Info:
-
-
+
+
@@ -100,6 +108,13 @@ If you disable or don't configure this policy setting, a domain user can set up
Note that the user's domain password will be cached in the system vault when using this feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off picture password sign-in*
@@ -109,7 +124,7 @@ ADMX Info:
-**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
+**CredentialProviders/DisableAutomaticReDeploymentCredentials**
@@ -135,11 +150,12 @@ ADMX Info:
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
+Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
+The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
-Default value is 0.
+- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
+- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index e51c7be1c8..728275e01e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - CredentialsUI
@@ -34,10 +35,10 @@ author: nickbrower
-
3
-
3
-
3
-
3
+
+
+
+
@@ -56,10 +57,18 @@ By default, the password reveal button is displayed after a user types a passwor
The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not display the password reveal button*
- GP name: *DisablePasswordReveal*
+- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
@@ -80,10 +89,10 @@ ADMX Info:
-
3
-
3
-
3
-
3
+
+
+
+
@@ -98,10 +107,18 @@ If you enable this policy setting, all local administrator accounts on the PC wi
If you disable this policy setting, users will always be required to type a user name and password to elevate.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enumerate administrator accounts on elevation*
- GP name: *EnumerateAdministrators*
+- GP path: *Windows Components/Credential User Interface*
- GP ADMX file name: *credui.admx*
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index b010cfdbb9..5365025f58 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Cryptography
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 418361ef03..ebe61e6295 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DataProtection
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 54687bcb5c..7398cdb094 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DataUsage
@@ -33,9 +34,9 @@ author: nickbrower
Mobile Enterprise
+
-
@@ -58,10 +59,18 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set 3G Cost*
- GP name: *SetCost3G*
+- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
@@ -81,9 +90,9 @@ ADMX Info:
Mobile Enterprise
+
-
@@ -106,10 +115,18 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set 4G Cost*
- GP name: *SetCost4G*
+- GP path: *Network/WWAN Service/WWAN Media Cost*
- GP ADMX file name: *wwansvc.admx*
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 9fdbbe8095..42421382a1 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Defender
@@ -686,7 +687,7 @@ Value type is string.
If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
-p
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
> [!Note]
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index bcd687b62f..a80a113695 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DeliveryOptimization
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 1a2b0575d1..2f095c7e16 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Desktop
@@ -34,10 +35,10 @@ author: nickbrower
-
1
-
-
1
-
1
+
+
+
+
@@ -52,6 +53,13 @@ By default, a user can change the location of their individual profile folders l
If you enable this setting, users are unable to type a new location in the Target box.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prohibit User from manually redirecting Profile Folders*
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index a33fac0efa..a613939a89 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DeviceGuard
@@ -142,6 +143,6 @@ Footnote:
## DeviceGuard policies supported by Microsoft Surface Hub
-- [DeviceGuard/AllowKernelControlFlowGuard](#None)
+- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 6fe4218008..b9e3b22182 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DeviceInstallation
@@ -34,10 +35,10 @@ author: nickbrower
-
-
-
3
-
3
+
+
+
+
@@ -52,10 +53,18 @@ If you enable this policy setting, Windows is prevented from installing a device
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent installation of devices that match any of these device IDs*
- GP name: *DeviceInstall_IDs_Deny*
+- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
@@ -76,10 +85,10 @@ ADMX Info:
-
-
-
3
-
3
+
+
+
+
@@ -94,10 +103,18 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
- GP name: *DeviceInstall_Classes_Deny*
+- GP path: *System/Device Installation/Device Installation Restrictions*
- GP ADMX file name: *deviceinstallation.admx*
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 6aedca4af1..3e3e9a0a12 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - DeviceLock
@@ -738,13 +739,13 @@ The number of authentication failures allowed before the device will be wiped. A
Mobile Enterprise
-
-
-
+
+
+
@@ -757,10 +758,18 @@ By default, users can enable a slide show that will run after they lock the mach
If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent enabling lock screen slide show*
- GP name: *CPL_Personalization_NoLockScreenSlideshow*
+- GP path: *Control Panel/Personalization*
- GP ADMX file name: *ControlPanelDisplay.admx*
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 142be5ef59..173a2e7f02 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Display
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
new file mode 100644
index 0000000000..8c563ece39
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -0,0 +1,133 @@
+---
+title: Policy CSP - Education
+description: Policy CSP - Education
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/09/2017
+---
+
+# Policy CSP - Education
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Education policies
+
+
+**Education/DefaultPrinterName**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
+
+The policy value is expected to be the name (network host name) of an installed printer.
+
+
+
+
+**Education/PreventAddingNewPrinters**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+
+The following list shows the supported values:
+
+- 0 (default) – Allow user installation.
+- 1 – Prevent user installation.
+
+
+
+
+**Education/PrinterNames**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
+
+The policy value is expected to be a `````` seperated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 76c623cf52..aac0cea10c 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - EnterpriseCloudPrint
@@ -45,7 +46,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
+
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -80,7 +81,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
+
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -115,7 +116,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -150,7 +151,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
+
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
The datatype is a string.
@@ -185,7 +186,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
+
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
The datatype is an integer.
@@ -220,7 +221,7 @@ author: nickbrower
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
The datatype is a string.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 9420ab52aa..88177e71c6 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - ErrorReporting
@@ -34,12 +35,12 @@ author: nickbrower
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -62,6 +63,13 @@ If you enable this policy setting, you can add specific event types to a list by
If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Customize consent settings*
@@ -86,12 +94,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -104,10 +112,18 @@ If you enable this policy setting, Windows Error Reporting does not send any pro
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disable Windows Error Reporting*
- GP name: *WerDisable_2*
+- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
@@ -128,12 +144,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -150,10 +166,18 @@ If you do not configure this policy setting, users can change this setting in Co
See also the Configure Error Reporting policy setting.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Display Error Notification*
- GP name: *PCH_ShowUI*
+- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
@@ -174,12 +198,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -192,10 +216,18 @@ If you enable this policy setting, any additional data requests from Microsoft i
If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not send additional data*
- GP name: *WerNoSecondLevelData_2*
+- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
@@ -216,12 +248,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -234,10 +266,18 @@ If you enable this policy setting, Windows Error Reporting does not display any
If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent display of the user interface for critical errors*
- GP name: *WerDoNotShowUI*
+- GP path: *Windows Components/Windows Error Reporting*
- GP ADMX file name: *ErrorReporting.admx*
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index a7d3d8bcf3..8ded981267 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - EventLogService
@@ -34,12 +35,12 @@ author: nickbrower
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -54,10 +55,18 @@ If you disable or do not configure this policy setting and a log file reaches it
Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
+- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
@@ -78,12 +87,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -96,10 +105,18 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
+- GP path: *Windows Components/Event Log Service/Application*
- GP ADMX file name: *eventlog.admx*
@@ -120,12 +137,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -138,10 +155,18 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
+- GP path: *Windows Components/Event Log Service/Security*
- GP ADMX file name: *eventlog.admx*
@@ -162,12 +187,12 @@ ADMX Info:
-
2
-
2
-
2
-
2
-
2
-
2
+
+
+
+
+
+
@@ -180,10 +205,18 @@ If you enable this policy setting, you can configure the maximum log file size t
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
+- GP path: *Windows Components/Event Log Service/System*
- GP ADMX file name: *eventlog.admx*
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d0a5edf221..82e380c156 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Experience
@@ -143,6 +144,46 @@ author: nickbrower
Most restricted value is 0.
+
+
+
+**Experience/AllowFindMyDevice**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
2
+
2
+
2
+
2
+
2
+
2
+
+
+
+
+
+
Added in Windows 10, version 1703. This policy turns on Find My Device.
+
+
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
+
+
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 65d798cab5..9e5de02b1b 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Games
@@ -21,29 +22,6 @@ author: nickbrower
**Games/AllowAdvancedGamingServices**
-
-
@@ -52,10 +53,18 @@ If you enable this policy setting, the user can add and remove search providers,
If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Add a specific list of search providers to the user's list of search providers*
- GP name: *AddSearchProvider*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -75,13 +84,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -94,10 +103,18 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t
If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on ActiveX Filtering*
- GP name: *TurnOnActiveXFiltering*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -117,13 +134,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -142,49 +159,150 @@ Value - A number indicating whether Internet Explorer should deny or allow the a
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Add-on List*
- GP name: *AddonManagement_AddOnList*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/AllowAutoComplete**
+**InternetExplorer/AllowAutoComplete**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on the auto-complete feature for user names and passwords on forms*
- GP name: *RestrictFormSuggestPW*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/AllowCertificateAddressMismatchWarning**
+**InternetExplorer/AllowCertificateAddressMismatchWarning**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on certificate address mismatch warning*
- GP name: *IZ_PolicyWarnCertMismatch*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
+**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow deleting browsing history on exit*
- GP name: *DBHDisableDeleteOnExit*
+- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
@@ -204,13 +322,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -225,10 +343,18 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Enhanced Protected Mode*
- GP name: *Advanced_EnableEnhancedProtectedMode*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -248,13 +374,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -267,10 +393,18 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr
If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
- GP name: *EnterpriseModeEnable*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -290,13 +424,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -309,23 +443,62 @@ If you enable this policy setting, Internet Explorer downloads the website list
If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Use the Enterprise Mode IE website list*
- GP name: *EnterpriseModeSiteList*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/AllowFallbackToSSL3**
+**InternetExplorer/AllowFallbackToSSL3**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)*
- GP name: *Advanced_EnableSSL3Fallback*
+- GP path: *Windows Components/Internet Explorer/Security Features*
- GP ADMX file name: *inetres.admx*
@@ -345,13 +518,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -364,10 +537,18 @@ If you enable this policy setting, the user can add and remove sites from the li
If you disable or do not configure this policy setting, the user can add and remove sites from the list.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Use Policy List of Internet Explorer 7 sites*
- GP name: *CompatView_UsePolicyList*
+- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
@@ -387,13 +568,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -408,10 +589,18 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
- GP name: *CompatView_IntranetSites*
+- GP path: *Windows Components/Internet Explorer/Compatibility View*
- GP ADMX file name: *inetres.admx*
@@ -431,13 +620,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -456,10 +645,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -479,13 +676,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -504,10 +701,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -527,13 +732,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -552,10 +757,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -575,13 +788,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -600,10 +813,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Locked-Down Internet Zone Template*
- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -623,13 +844,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -648,10 +869,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Locked-Down Intranet Zone Template*
- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -671,13 +900,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -696,10 +925,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Locked-Down Local Machine Zone Template*
- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -719,13 +956,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -744,10 +981,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Locked-Down Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -767,13 +1012,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -786,10 +1031,18 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane
If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Go to an intranet site for a one-word entry in the Address bar*
- GP name: *UseIntranetSiteForOneWordEntry*
+- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
- GP ADMX file name: *inetres.admx*
@@ -809,13 +1062,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -834,23 +1087,62 @@ Value - A number indicating the zone with which this site should be associated f
If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Site to Zone Assignment List*
- GP name: *IZ_Zonemaps*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
+**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow software to run or install even if the signature is invalid*
- GP name: *Advanced_InvalidSignatureBlock*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -870,13 +1162,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -891,10 +1183,18 @@ If you disable this policy setting, the entry points and functionality associate
If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Suggested Sites*
- GP name: *EnableSuggestedSites*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -914,13 +1214,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -939,10 +1239,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -962,13 +1270,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -987,10 +1295,18 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Locked-Down Trusted Sites Zone Template*
- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -1010,13 +1326,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1035,49 +1351,150 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Restricted Sites Zone Template*
- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/CheckServerCertificateRevocation**
+**InternetExplorer/CheckServerCertificateRevocation**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Check for server certificate revocation*
- GP name: *Advanced_CertificateRevocation*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
+**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Check for signatures on downloaded programs*
- GP name: *Advanced_DownloadSignatures*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
+**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_2*
+- GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
- GP ADMX file name: *inetres.admx*
@@ -1097,13 +1514,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1118,23 +1535,62 @@ If you disable, or do not configure this policy setting, Flash is turned on for
Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
- GP name: *DisableFlashInIE*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**
+**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -1154,13 +1610,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1173,10 +1629,18 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent bypassing SmartScreen Filter warnings*
- GP name: *DisableSafetyFilterOverride*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1196,13 +1660,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1215,36 +1679,106 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableConfiguringHistory**
+**InternetExplorer/DisableConfiguringHistory**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disable "Configuring History"*
- GP name: *RestrictHistory*
+- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableCrashDetection**
+**InternetExplorer/DisableCrashDetection**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off Crash Detection*
- GP name: *AddonManagement_RestrictCrashDetection*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1264,13 +1798,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1285,23 +1819,62 @@ If you disable this policy setting, the user must participate in the CEIP, and t
If you do not configure this policy setting, the user can choose to participate in the CEIP.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent participation in the Customer Experience Improvement Program*
- GP name: *SQM_DisableCEIP*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableDeletingUserVisitedWebsites**
+**InternetExplorer/DisableDeletingUserVisitedWebsites**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent deleting websites that the user has visited*
- GP name: *DBHDisableDeleteHistory*
+- GP path: *Windows Components/Internet Explorer/Delete Browsing History*
- GP ADMX file name: *inetres.admx*
@@ -1321,13 +1894,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1340,10 +1913,18 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d
If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent downloading of enclosures*
- GP name: *Disable_Downloading_of_Enclosures*
+- GP path: *Windows Components/RSS Feeds*
- GP ADMX file name: *inetres.admx*
@@ -1363,13 +1944,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1384,10 +1965,18 @@ If you disable or do not configure this policy setting, the user can select whic
Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off encryption support*
- GP name: *Advanced_SetWinInetProtocols*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -1407,13 +1996,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1430,10 +2019,18 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail
If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent running First Run wizard*
- GP name: *NoFirstRunCustomise*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1453,13 +2050,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1476,10 +2073,18 @@ If you disable this policy setting, flip ahead with page prediction is turned on
If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off the flip ahead with page prediction feature*
- GP name: *Advanced_DisableFlipAhead*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -1499,13 +2104,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1518,49 +2123,150 @@ If you enable this policy setting, a user cannot set a custom default home page.
If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disable changing home page settings*
- GP name: *RestrictHomePage*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableIgnoringCertificateErrors**
+**InternetExplorer/DisableIgnoringCertificateErrors**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent ignoring certificate errors*
- GP name: *NoCertError*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableInPrivateBrowsing**
+**InternetExplorer/DisableInPrivateBrowsing**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off InPrivate Browsing*
- GP name: *DisableInPrivateBrowsing*
+- GP path: *Windows Components/Internet Explorer/Privacy*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
+**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -1580,13 +2286,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1599,10 +2305,18 @@ If you enable this policy setting, the user will not be able to configure proxy
If you disable or do not configure this policy setting, the user can configure proxy settings.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent changing proxy settings*
- GP name: *RestrictProxy*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1622,13 +2336,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1641,10 +2355,18 @@ If you enable this policy setting, the user cannot change the default search pro
If you disable or do not configure this policy setting, the user can change the default search provider.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent changing the default search provider*
- GP name: *NoSearchProvider*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1664,13 +2386,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1685,23 +2407,62 @@ If you disable or do not configure this policy setting, the user can add seconda
Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disable changing secondary home page settings*
- GP name: *SecondaryHomePages*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DisableSecuritySettingsCheck**
+**InternetExplorer/DisableSecuritySettingsCheck**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off the Security Settings Check feature*
- GP name: *Disable_Security_Settings_Check*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1721,13 +2482,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1742,23 +2503,62 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disable Periodic Check for Internet Explorer software updates*
- GP name: *NoUpdateCheck*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
+**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
- GP name: *Advanced_DisableEPMCompat*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
- GP ADMX file name: *inetres.admx*
@@ -1778,13 +2578,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1803,10 +2603,18 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad
Also, see the "Security zones: Use only machine settings" policy.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Security Zones: Do not allow users to add/delete sites*
- GP name: *Security_zones_map_edit*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1826,13 +2634,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1851,10 +2659,18 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
Also, see the "Security zones: Use only machine settings" policy.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Security Zones: Do not allow users to change policies*
- GP name: *Security_options_edit*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -1874,13 +2690,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1895,10 +2711,18 @@ If you disable or don't configure this policy setting, Internet Explorer continu
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
- GP name: *VerMgmtDisable*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -1918,13 +2742,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1943,10 +2767,18 @@ If you disable or don't configure this policy setting, the list is deleted and I
For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
- GP name: *VerMgmtDomainAllowlist*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@@ -1966,13 +2798,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -1987,10 +2819,18 @@ If you disable this policy setting, local sites which are not explicitly mapped
If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
- GP name: *IZ_IncludeUnspecifiedLocalSites*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -2010,13 +2850,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2031,10 +2871,18 @@ If you disable this policy setting, network paths are not necessarily mapped int
If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Intranet Sites: Include all network paths (UNCs)*
- GP name: *IZ_UNCAsIntranet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
- GP ADMX file name: *inetres.admx*
@@ -2054,13 +2902,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2075,10 +2923,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2098,13 +2954,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2119,10 +2975,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2142,13 +3006,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2161,36 +3025,106 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
+**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
+**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2210,13 +3144,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2231,10 +3165,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2254,13 +3196,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2275,23 +3217,62 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG**
+**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2311,13 +3292,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2332,62 +3313,194 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow only approved domains to use ActiveX controls without prompt*
-- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet*
+- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow only approved domains to use the TDC ActiveX control*
-- GP name: *IZ_PolicyAllowTDCControl_Both_LocalMachine*
+- GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
+**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow script-initiated windows without size or position constraints*
-- GP name: *IZ_PolicyWindowsRestrictionsURLaction_6*
+- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2407,13 +3520,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2428,10 +3541,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2451,13 +3572,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2474,23 +3595,62 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
+**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2510,13 +3670,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2531,140 +3691,414 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1**
+**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2**
+**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-ADMX Info:
-- GP english name: *Don't run antimalware programs against ActiveX controls*
-- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
-- GP ADMX file name: *inetres.admx*
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
-**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
ADMX Info:
- GP english name: *Download signed ActiveX controls*
-- GP name: *IZ_PolicyDownloadSignedActiveX_3*
+- GP name: *IZ_PolicyDownloadSignedActiveX_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
+**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
+**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Cross-Site Scripting Filter*
-- GP name: *IZ_PolicyTurnOnXSSFilter_Both_LocalMachine*
+- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneEnableMIMESniffing**
+**InternetExplorer/InternetZoneEnableMIMESniffing**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneEnableProtectedMode**
+**InternetExplorer/InternetZoneEnableProtectedMode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Protected Mode*
-- GP name: *IZ_Policy_TurnOnProtectedMode_2*
+- GP name: *IZ_Policy_TurnOnProtectedMode_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
+**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2684,13 +4118,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2707,75 +4141,179 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
+**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
1
+
1
+
+
1
+
1
+
1
+
1
+
+
+
+
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
-- GP ADMX file name: *inetres.admx*
-
-
-**InternetExplorer/InternetZoneJavaPermissionsWRONG1**
+**InternetExplorer/InternetZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneJavaPermissionsWRONG2**
+**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-ADMX Info:
-- GP english name: *Java permissions*
-- GP name: *IZ_PolicyJavaPermissions_3*
-- GP ADMX file name: *inetres.admx*
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
-**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
ADMX Info:
- GP english name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneLogonOptions**
+**InternetExplorer/InternetZoneLogonOptions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Logon options*
- GP name: *IZ_PolicyLogon_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2795,13 +4333,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2816,75 +4354,238 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
+**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneUsePopupBlocker**
+**InternetExplorer/InternetZoneUsePopupBlocker**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**
+**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2904,13 +4605,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2925,10 +4626,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2948,13 +4657,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -2969,10 +4678,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -2992,13 +4709,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3011,10 +4728,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3034,13 +4759,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3055,10 +4780,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3078,13 +4811,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3099,10 +4832,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3122,13 +4863,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3143,10 +4884,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3166,13 +4915,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3187,10 +4936,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3210,13 +4967,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3233,10 +4990,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3256,13 +5021,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3277,10 +5042,62 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3300,13 +5117,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3323,10 +5140,106 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneJavaPermissions**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3346,13 +5259,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3367,10 +5280,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3390,13 +5311,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3411,10 +5332,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3434,13 +5363,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3455,10 +5384,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3478,13 +5415,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3497,10 +5434,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3520,13 +5465,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3541,10 +5486,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3564,13 +5517,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3585,10 +5538,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3608,13 +5569,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3629,10 +5590,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3652,13 +5621,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3673,10 +5642,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3696,13 +5673,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3719,10 +5696,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3742,13 +5727,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3763,23 +5748,62 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
+**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3799,13 +5823,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3822,23 +5846,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LocalMachineZoneJavaPermissions**
+**InternetExplorer/LocalMachineZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3858,13 +5921,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3879,10 +5942,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -3902,13 +5973,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3923,10 +5994,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3946,13 +6025,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -3967,10 +6046,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -3990,13 +6077,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4009,10 +6096,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4032,13 +6127,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4053,10 +6148,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4076,13 +6179,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4097,10 +6200,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4120,13 +6231,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4141,10 +6252,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4164,13 +6283,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4185,10 +6304,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4208,13 +6335,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4231,10 +6358,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4254,13 +6389,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4275,10 +6410,18 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4298,13 +6441,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4321,23 +6464,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LockedDownInternetZoneJavaPermissions**
+**InternetExplorer/LockedDownInternetZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4357,13 +6539,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4378,10 +6560,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4401,13 +6591,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4422,10 +6612,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4445,13 +6643,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4466,10 +6664,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4489,13 +6695,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4508,10 +6714,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4531,13 +6745,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4552,10 +6766,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4575,13 +6797,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4596,10 +6818,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4619,13 +6849,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4640,10 +6870,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4663,13 +6901,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4684,10 +6922,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4707,13 +6953,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4730,10 +6976,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4753,13 +7007,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4774,10 +7028,18 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4797,13 +7059,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4820,10 +7082,18 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4843,13 +7113,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4864,10 +7134,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
- GP ADMX file name: *inetres.admx*
@@ -4887,13 +7165,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4908,10 +7186,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -4931,13 +7217,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4952,10 +7238,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -4975,13 +7269,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -4994,10 +7288,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5017,13 +7319,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5038,10 +7340,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5061,13 +7371,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5082,10 +7392,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5105,13 +7423,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5126,10 +7444,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5149,13 +7475,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5170,10 +7496,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5193,13 +7527,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5216,10 +7550,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5239,13 +7581,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5260,10 +7602,18 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5283,13 +7633,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5306,23 +7656,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
+**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5342,13 +7731,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5363,10 +7752,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
- GP ADMX file name: *inetres.admx*
@@ -5386,13 +7783,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5407,10 +7804,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5430,13 +7835,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5451,10 +7856,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5474,13 +7887,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5493,10 +7906,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5516,13 +7937,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5537,10 +7958,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5560,13 +7989,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5581,10 +8010,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5604,13 +8041,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5625,10 +8062,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5648,13 +8093,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5669,10 +8114,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5692,13 +8145,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5715,10 +8168,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5738,13 +8199,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5759,10 +8220,18 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5782,13 +8251,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5805,23 +8274,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
+**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5841,13 +8349,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5862,10 +8370,18 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5885,13 +8401,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5906,10 +8422,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5929,13 +8453,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5950,10 +8474,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -5973,13 +8505,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -5992,10 +8524,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6015,13 +8555,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6036,10 +8576,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6059,13 +8607,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6080,10 +8628,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6103,13 +8659,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6124,10 +8680,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6147,13 +8711,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6168,10 +8732,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6191,13 +8763,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6214,10 +8786,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6237,13 +8817,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6258,10 +8838,18 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6281,13 +8869,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6304,23 +8892,62 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
+**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6340,13 +8967,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6361,127 +8988,414 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
+**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_3*
+- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
+**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_6*
+- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/NotificationBarInternetExplorerProcesses**
+**InternetExplorer/NotificationBarInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Internet Explorer Processes*
- GP name: *IESF_PolicyExplorerProcesses_10*
+- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/PreventManagingSmartScreenFilter**
+**InternetExplorer/PreventManagingSmartScreenFilter**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
-- GP english name: *Download signed ActiveX controls*
-- GP name: *IZ_PolicyDownloadSignedActiveX_1*
+- GP english name: *Prevent managing SmartScreen Filter*
+- GP name: *Disable_Managing_Safety_Filter_IE9*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
+**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Prevent per-user installation of ActiveX controls*
- GP name: *DisablePerUserActiveXInstall*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
+**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_9*
+- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
+**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP name: *VerMgmtDisableRunThisTime*
+- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
+**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_11*
+- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
+**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_12*
+- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
- GP ADMX file name: *inetres.admx*
@@ -6501,13 +9415,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6522,23 +9436,62 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
+**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow active scripting*
-- GP name: *IZ_PolicyActiveScripting_1*
+- GP name: *IZ_PolicyActiveScripting_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6558,13 +9511,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6579,10 +9532,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6602,13 +9563,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6621,62 +9582,194 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
+**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow binary and script behaviors*
-- GP name: *IZ_PolicyBinaryBehaviors_1*
+- GP name: *IZ_PolicyBinaryBehaviors_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
+**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow cut, copy or paste operations from the clipboard via script*
- GP name: *IZ_PolicyAllowPasteViaScript_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
+**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow drag and drop or copy and paste files*
- GP name: *IZ_PolicyDropOrPasteFiles_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
+**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow file downloads*
-- GP name: *IZ_PolicyFileDownload_1*
+- GP name: *IZ_PolicyFileDownload_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6696,13 +9789,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6717,29 +9810,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
-
-**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1**
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_7*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2**
-
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_1*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6759,13 +9841,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6780,36 +9862,106 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
+**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow loading of XAML files*
- GP name: *IZ_Policy_XAML_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
+**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow META REFRESH*
-- GP name: *IZ_PolicyAllowMETAREFRESH_1*
+- GP name: *IZ_PolicyAllowMETAREFRESH_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6829,13 +9981,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6850,62 +10002,194 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow only approved domains to use ActiveX controls without prompt*
- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow only approved domains to use the TDC ActiveX control*
- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
+**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow script-initiated windows without size or position constraints*
- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
- GP name: *IZ_Policy_WebBrowserControl_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6925,13 +10209,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6946,10 +10230,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -6969,13 +10261,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -6992,23 +10284,62 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
+**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow updates to status bar via script*
- GP name: *IZ_Policy_ScriptStatusBar_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7028,13 +10359,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7049,101 +10380,370 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
+**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Don't run antimalware programs against ActiveX controls*
- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
+**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Download signed ActiveX controls*
- GP name: *IZ_PolicyDownloadSignedActiveX_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
+**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Download unsigned ActiveX controls*
- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Turn on Cross-Site Scripting Filter*
+- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable dragging of content from different domains across windows*
- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable dragging of content from different domains within a window*
- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
+**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable MIME Sniffing*
- GP name: *IZ_PolicyMimeSniffingURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
+**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Include local path when user is uploading files to a server*
- GP name: *IZ_Policy_LocalPathForUpload_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7163,13 +10763,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7186,49 +10786,150 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneJavaPermissions**
+**InternetExplorer/RestrictedSitesZoneJavaPermissions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
+**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Launching applications and files in an IFRAME*
- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneLogonOptions**
+**InternetExplorer/RestrictedSitesZoneLogonOptions**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Logon options*
- GP name: *IZ_PolicyLogon_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7248,13 +10949,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7269,140 +10970,458 @@ If you disable this policy setting, users cannot open other windows and frames f
If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**
+**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
+**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run ActiveX controls and plugins*
-- GP name: *IZ_PolicyRunActiveXControls_1*
+- GP name: *IZ_PolicyRunActiveXControls_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components signed with Authenticode*
- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
+**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Script ActiveX controls marked safe for scripting*
-- GP name: *IZ_PolicyScriptActiveXMarkedSafe_1*
+- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneWRONG**
+**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Scripting of Java applets*
-- GP name: *IZ_PolicyScriptingOfJavaApplets_6*
+- GP name: *IZ_PolicyScriptingOfJavaApplets_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneWRONG2**
+**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Show security warning for potentially unsafe files*
- GP name: *IZ_Policy_UnsafeFiles_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneWRONG3**
+**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Cross-Site Scripting Filter*
- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneWRONG4**
+**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on Protected Mode*
- GP name: *IZ_Policy_TurnOnProtectedMode_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/RestrictedSitesZoneWRONG5**
+**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Use Pop-up Blocker*
- GP name: *IZ_PolicyBlockPopupWindows_7*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
+**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *All Processes*
- GP name: *IESF_PolicyAllProcesses_8*
+- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
- GP ADMX file name: *inetres.admx*
@@ -7422,13 +11441,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7441,36 +11460,106 @@ If you enable this policy setting, the user cannot configure the list of search
If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Restrict search providers to a specific list*
- GP name: *SpecificSearchProvider*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
+**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Security Zones: Use only machine settings *
- GP name: *Security_HKLM_only*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/SpecifyUseOfActiveXInstallerService**
+**InternetExplorer/SpecifyUseOfActiveXInstallerService**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
- GP name: *OnlyUseAXISForActiveXInstall*
+- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
@@ -7490,13 +11579,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7511,10 +11600,18 @@ If you disable this policy setting, users cannot load a page in the zone that us
If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Access data sources across domains*
- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7534,13 +11631,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7555,10 +11652,18 @@ If you disable this policy setting, ActiveX control installations will be blocke
If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for ActiveX controls*
- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7578,13 +11683,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7597,10 +11702,18 @@ If you enable this setting, users will receive a file download dialog for automa
If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Automatic prompting for file downloads*
- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7620,13 +11733,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7641,10 +11754,18 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow font downloads*
- GP name: *IZ_PolicyFontDownload_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7664,13 +11785,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7685,10 +11806,18 @@ If you disable this policy setting, the possibly harmful navigations are prevent
If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
- GP name: *IZ_PolicyZoneElevationURLaction_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7708,13 +11837,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7729,10 +11858,18 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7752,13 +11889,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7773,10 +11910,18 @@ If you disable this policy setting, the user cannot run scriptlets.
If you do not configure this policy setting, the user can enable or disable scriptlets.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow scriptlets*
- GP name: *IZ_Policy_AllowScriptlets_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7796,13 +11941,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7819,10 +11964,18 @@ If you do not configure this policy setting, the user can choose whether SmartSc
Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on SmartScreen Filter scan*
- GP name: *IZ_Policy_Phishing_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7842,13 +11995,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7863,10 +12016,106 @@ If you disable this policy setting, users cannot preserve information in the bro
If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Userdata persistence*
- GP name: *IZ_PolicyUserdataPersistence_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7886,13 +12135,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7909,23 +12158,150 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Initialize and script ActiveX controls not marked as safe*
- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
-**InternetExplorer/TrustedSitesZoneJavaPermissions**
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneJavaPermissions**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Java permissions*
- GP name: *IZ_PolicyJavaPermissions_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
@@ -7945,13 +12321,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -7966,36 +12342,18 @@ If you disable this policy setting, users cannot open windows and frames to acce
If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Navigate windows and frames across different domains*
- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneWRONG1**
-
-
-
-
-ADMX Info:
-- GP english name: *Don't run antimalware programs against ActiveX controls*
-- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneWRONG2**
-
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
- GP ADMX file name: *inetres.admx*
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index a8fbdb51d5..f415128684 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Kerberos
@@ -33,13 +34,13 @@ author: nickbrower
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -52,10 +53,18 @@ If you enable this policy setting, the Kerberos client searches the forests in t
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Use forest search order*
- GP name: *ForestSearch*
+- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -75,13 +84,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -93,10 +102,18 @@ If you enable this policy setting, the client computers will request claims, pro
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
+- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -116,13 +133,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -139,10 +156,18 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
+- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -162,13 +187,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -181,10 +206,18 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Require strict KDC validation*
- GP name: *ValidateKDC*
+- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -204,13 +237,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -227,10 +260,18 @@ If you disable or do not configure this policy setting, the Kerberos client or s
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
+- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 8c80b8d3a3..e0cc238f3e 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Licensing
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
new file mode 100644
index 0000000000..e24b65ed09
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -0,0 +1,1025 @@
+---
+title: Policy CSP - LocalPoliciesSecurityOptions
+description: Policy CSP - LocalPoliciesSecurityOptions
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/09/2017
+---
+
+# Policy CSP - LocalPoliciesSecurityOptions
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## LocalPoliciesSecurityOptions policies
+
+
+**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+Valid values:
+- 0 - disabled (users will be able to use Microsoft accounts with Windows)
+- 1 - enabled (users cannot add Microsoft accounts)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+This security setting determines whether the local Administrator account is enabled or disabled.
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances.
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.
+Valid values:
+- 0 - local Administrator account is disabled
+- 1 - local Administrator account is enabled
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+Valid values:
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+Valid values:
+- 0 - disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 - enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive Logon:Display user information when the session is locked
+
+Valid values:
+- 1 - User display name, domain and user names
+- 2 - User display name only
+- 3 - Do not display user information
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Don't display last signed-in
+
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Don't display username at sign-in
+
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.
+Valid values:
+- 0 - disabled
+- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.
+Valid values:
+- 0 - disabled
+- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow automatic administrative logon)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow system to be shut down without having to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+Disabled: (Default)
+Valid values:
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+- 0 - Disabled: Applications that write data to protected locations fail.
+- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index f645587446..2b3d3a2b35 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Location
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 25dc0413fe..c207e57f39 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - LockDown
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 71023a8d83..9e719e5b3b 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Maps
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index 0cb1012fa9..1734984fd4 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Messaging
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 8c7f783b3c..fba5342cac 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - NetworkIsolation
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 1ba72d35a8..a1c092d0df 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Notifications
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index b0b74a08f2..24bb80fa7e 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Power
@@ -34,12 +35,12 @@ author: nickbrower
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -52,10 +53,18 @@ If you enable or do not configure this policy setting, Windows uses standby stat
If you disable this policy setting, standby states (S1-S3) are not allowed.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
- GP name: *AllowStandbyStatesAC_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -76,12 +85,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -96,10 +105,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
+- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
@@ -120,12 +137,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -140,10 +157,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
+- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
@@ -164,12 +189,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -185,10 +210,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -209,12 +242,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -229,10 +262,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -253,12 +294,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -271,10 +312,18 @@ If you enable or do not configure this policy setting, the user is prompted for
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Require a password when a computer wakes (on battery)*
- GP name: *DCPromptForPasswordOnResume_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -295,12 +344,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -313,10 +362,18 @@ If you enable or do not configure this policy setting, the user is prompted for
If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Require a password when a computer wakes (plugged in)*
- GP name: *ACPromptForPasswordOnResume_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -337,12 +394,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -357,10 +414,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
@@ -381,12 +446,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -401,10 +466,18 @@ ADMX Info:
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
+- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index ac4e6f725f..7d17fff50b 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Printers
@@ -34,12 +35,12 @@ author: nickbrower
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -65,6 +66,13 @@ If you disable this policy setting:
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Point and Print Restrictions*
@@ -74,7 +82,7 @@ ADMX Info:
-**Printers/PointAndPrintRestrictions_User**
+**Printers/PointAndPrintRestrictions_User**
@@ -89,12 +97,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -120,10 +128,18 @@ If you disable this policy setting:
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
+- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
@@ -144,12 +160,12 @@ ADMX Info:
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
@@ -164,6 +180,13 @@ If you disable this setting, this computer's shared printers cannot be published
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow printers to be published*
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 6436a76202..b2969151a6 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Privacy
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index bae354870c..b8964b01a1 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - RemoteAssistance
@@ -33,13 +34,13 @@ author: nickbrower
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -58,10 +59,18 @@ If you disable this policy setting, the user sees the default warning message.
If you do not configure this policy setting, the user sees the default warning message.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Customize warning messages*
- GP name: *RA_Options*
+- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
@@ -81,13 +90,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -102,10 +111,18 @@ If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn on session logging*
- GP name: *RA_Logging*
+- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
@@ -125,13 +142,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -154,10 +171,18 @@ The "Select the method for sending email invitations" setting specifies which em
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
+- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
@@ -177,13 +202,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -229,10 +254,18 @@ Port 135:TCP
Allow Remote Desktop Exception
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
+- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index c73c7a4093..fc802cbca7 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - RemoteDesktopServices
@@ -33,13 +34,13 @@ author: nickbrower
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -58,10 +59,18 @@ Note: You can limit which clients are able to connect remotely by using Remote D
You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow users to connect remotely by using Remote Desktop Services*
- GP name: *TS_DISABLE_CONNECTIONS*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
- GP ADMX file name: *terminalserver.admx*
@@ -81,13 +90,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -110,10 +119,18 @@ Important
FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Set client connection encryption level*
- GP name: *TS_ENCRYPTION_POLICY*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@@ -133,13 +150,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -156,10 +173,18 @@ If you disable this policy setting, client drive redirection is always allowed.
If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not allow drive redirection*
- GP name: *TS_CLIENT_DRIVE_M*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
- GP ADMX file name: *terminalserver.admx*
@@ -179,13 +204,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -198,10 +223,18 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec
If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not allow passwords to be saved*
- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
- GP ADMX file name: *terminalserver.admx*
@@ -221,13 +254,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -246,10 +279,18 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Always prompt for password upon connection*
- GP name: *TS_PASSWORD*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
@@ -269,13 +310,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -294,10 +335,18 @@ If the status is set to Not Configured, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Require secure RPC communication*
- GP name: *TS_RPC_ENCRYPTION*
+- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
- GP ADMX file name: *terminalserver.admx*
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 4c0d02a0fb..b1cd0e9207 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - RemoteManagement
@@ -19,196 +20,661 @@ author: nickbrower
## RemoteManagement policies
-**RemoteManagement/AllowBasicAuthentication_Client**
+**RemoteManagement/AllowBasicAuthentication_Client**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_2*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/AllowBasicAuthentication_Service**
+**RemoteManagement/AllowBasicAuthentication_Service**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow Basic authentication*
- GP name: *AllowBasic_1*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/AllowCredSSPAuthenticationClient**
+**RemoteManagement/AllowCredSSPAuthenticationClient**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-ADMX Info:
-- GP english name: *Allow CredSSP authentication*
-- GP name: *AllowCredSSP_1*
-- GP ADMX file name: *WindowsRemoteManagement.admx*
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
-**RemoteManagement/AllowCredSSPAuthenticationService**
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
ADMX Info:
- GP english name: *Allow CredSSP authentication*
- GP name: *AllowCredSSP_2*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/AllowRemoteServerManagement**
+**RemoteManagement/AllowCredSSPAuthenticationService**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Allow CredSSP authentication*
+- GP name: *AllowCredSSP_1*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowRemoteServerManagement**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow remote server management through WinRM*
- GP name: *AllowAutoConfig*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/AllowUnencryptedTraffic_Client**
+**RemoteManagement/AllowUnencryptedTraffic_Client**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_2*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/AllowUnencryptedTraffic_Service**
+**RemoteManagement/AllowUnencryptedTraffic_Service**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow unencrypted traffic*
- GP name: *AllowUnencrypted_1*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/DisallowDigestAuthentication**
+**RemoteManagement/DisallowDigestAuthentication**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disallow Digest authentication*
- GP name: *DisallowDigest*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/DisallowNegotiateAuthenticationClient**
+**RemoteManagement/DisallowNegotiateAuthenticationClient**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-ADMX Info:
-- GP english name: *Disallow Negotiate authentication*
-- GP name: *DisallowNegotiate_1*
-- GP ADMX file name: *WindowsRemoteManagement.admx*
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
-**RemoteManagement/DisallowNegotiateAuthenticationService**
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
ADMX Info:
- GP english name: *Disallow Negotiate authentication*
- GP name: *DisallowNegotiate_2*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/DisallowStoringOfRunAsCredentials**
+**RemoteManagement/DisallowNegotiateAuthenticationService**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP english name: *Disallow Negotiate authentication*
+- GP name: *DisallowNegotiate_1*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/DisallowStoringOfRunAsCredentials**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Disallow WinRM from storing RunAs credentials*
- GP name: *DisableRunAs*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
+**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify channel binding token hardening level*
- GP name: *CBTHardeningLevel_1*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/TrustedHosts**
+**RemoteManagement/TrustedHosts**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Trusted Hosts*
- GP name: *TrustedHosts*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/TurnOnCompatibilityHTTPListener**
+**RemoteManagement/TurnOnCompatibilityHTTPListener**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn On Compatibility HTTP Listener*
- GP name: *HttpCompatibilityListener*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
-**RemoteManagement/TurnOnCompatibilityHTTPSListener**
+**RemoteManagement/TurnOnCompatibilityHTTPSListener**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn On Compatibility HTTPS Listener*
- GP name: *HttpsCompatibilityListener*
+- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
- GP ADMX file name: *WindowsRemoteManagement.admx*
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 56389b3ae7..00dd1a5001 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - RemoteProcedureCall
@@ -33,13 +34,13 @@ author: nickbrower
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -56,10 +57,18 @@ If you do not configure this policy setting, it remains disabled. RPC clients w
Note: This policy will not be applied until the system is rebooted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Enable RPC Endpoint Mapper Client Authentication*
- GP name: *RpcEnableAuthEpResolution*
+- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
@@ -79,13 +88,13 @@ ADMX Info:
Mobile Enterprise
-
1
-
1
-
-
1
-
1
-
1
-
1
+
+
+
+
+
+
+
@@ -110,10 +119,18 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
Note: This policy setting will not be applied until the system is rebooted.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Restrict Unauthenticated RPC clients*
- GP name: *RpcRestrictRemoteClients*
+- GP path: *System/Remote Procedure Call*
- GP ADMX file name: *rpc.admx*
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 08ec87e539..ddc13e6c8e 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - RemoteShell
@@ -19,92 +20,309 @@ author: nickbrower
## RemoteShell policies
-**RemoteShell/AllowRemoteShellAccess**
+**RemoteShell/AllowRemoteShellAccess**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Allow Remote Shell Access*
- GP name: *AllowRemoteShellAccess*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/MaxConcurrentUsers**
+**RemoteShell/MaxConcurrentUsers**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *MaxConcurrentUsers*
- GP name: *MaxConcurrentUsers*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/SpecifyIdleTimeout**
+**RemoteShell/SpecifyIdleTimeout**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify idle Timeout*
- GP name: *IdleTimeout*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/SpecifyMaxMemory**
+**RemoteShell/SpecifyMaxMemory**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify maximum amount of memory in MB per Shell*
- GP name: *MaxMemoryPerShellMB*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/SpecifyMaxProcesses**
+**RemoteShell/SpecifyMaxProcesses**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify maximum number of processes per Shell*
- GP name: *MaxProcessesPerShell*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/SpecifyMaxRemoteShells**
+**RemoteShell/SpecifyMaxRemoteShells**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify maximum number of remote shells per user*
- GP name: *MaxShellsPerUser*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
-**RemoteShell/SpecifyShellTimeout**
+**RemoteShell/SpecifyShellTimeout**
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
+
+
+
+
+
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Specify Shell Timeout*
- GP name: *ShellTimeOut*
+- GP path: *Windows Components/Windows Remote Shell*
- GP ADMX file name: *WindowsRemoteShell.admx*
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 73badec791..d5f5c4ad2d 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Search
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index b9da338ad1..0472962b49 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Security
@@ -215,6 +216,45 @@ author: nickbrower
- 0 – Don't allow Anti Theft Mode.
- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
+
+
+
+**Security/ClearTPMIfNotReady**
+
+
+
+
+
Home
+
Pro
+
Business
+
Enterprise
+
Education
+
Mobile
+
Mobile Enterprise
+
+
+
+
3
+
3
+
3
+
3
+
+
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+The following list shows the supported values:
+
+- 0 (default) – Will not force recovery from a non-ready TPM state.
+- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index aac7fdd2e4..66b1036ad7 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Settings
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 968712f98d..f9c43718a4 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - SmartScreen
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index b67d1464b7..a8f70bedb6 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Speech
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 9c3c33dc73..6c0dd2a75b 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Start
@@ -1081,7 +1082,7 @@ author: nickbrower
> [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
+
The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
To validate on Desktop, do the following:
@@ -1176,7 +1177,7 @@ author: nickbrower
Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
+
For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 7d305a13d9..b0dcf3a30b 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Storage
@@ -34,8 +35,8 @@ author: nickbrower
-
-
+
+
@@ -52,10 +53,18 @@ If you enable this policy setting, Windows will not activate unactivated Enhance
If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
- GP name: *TCGSecurityActivationDisabled*
+- GP path: *System/Enhanced Storage Access*
- GP ADMX file name: *enhancedstorage.admx*
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index bfc21c114d..bd2ca894b5 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - System
@@ -419,11 +420,11 @@ author: nickbrower
-
-
+
+
@@ -432,6 +433,13 @@ author: nickbrower
N/A
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP name: *POL_DriverLoadPolicy_Name*
@@ -505,10 +513,10 @@ ADMX Info:
-
2
-
2
-
2
-
2
+
+
+
+
@@ -529,10 +537,18 @@ If you disable or do not configure this policy setting, users can perform System
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off System Restore*
- GP name: *SR_DisableSR*
+- GP path: *System/System Restore*
- GP ADMX file name: *systemrestore.admx*
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 3baa9bb071..8f0523789d 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - TextInput
@@ -362,29 +363,6 @@ author: nickbrower
**TextInput/AllowKoreanExtendedHanja**
-
-
-
-
Home
-
Pro
-
Business
-
Enterprise
-
Education
-
Mobile
-
Mobile Enterprise
-
-
-
-
2
-
2
-
2
-
2
-
-
-
-
-
-
This policy has been deprecated.
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index c3bcd16106..2ccd9541ad 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - TimeLanguageSettings
@@ -67,8 +68,8 @@ Footnote:
## TimeLanguageSettings policies supported by Microsoft Surface Hub
-- [TimeLanguageSettings/Set24HourClock](#None)
-- [TimeLanguageSettings/SetCountry](#None)
-- [TimeLanguageSettings/SetLanguage](#None)
+- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)
+- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)
+- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index eb5110a19b..f057cd47c6 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - Update
@@ -1110,7 +1111,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-**Update/PauseFeatureUpdatesStartTime**
+**Update/PauseFeatureUpdatesStartTime**
@@ -1182,7 +1183,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-**Update/PauseQualityUpdatesStartTime**
+**Update/PauseQualityUpdatesStartTime**
This policy has been deprecated.
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 7f6d64ab86..b7a99ac6a7 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 07/06/2017
+ms.date: 08/09/2017
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -31,7 +31,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -64,7 +64,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -100,7 +100,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -139,7 +139,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -175,7 +175,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -211,7 +211,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -247,7 +247,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -283,7 +283,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -319,7 +319,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -355,7 +355,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -372,7 +372,7 @@ ms.date: 07/06/2017
Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
-
Value type is string. Supported operations are Add, Get, Replace and Delete.
+
Value type is string. Supported operations are Add, Get, Replace and Delete.
@@ -388,7 +388,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -409,7 +409,6 @@ ms.date: 07/06/2017
- 0 - (Disable) Notifications contain a default notification text.
- 1 - (Enable) Notifications contain the company name and contact options.
-
@@ -425,7 +424,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -461,7 +460,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -494,7 +493,7 @@ ms.date: 07/06/2017
Enterprise
Education
Mobile
-
MobileEnterprise
+
Mobile Enterprise
@@ -511,7 +510,17 @@ ms.date: 07/06/2017
Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
-
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
-
\ No newline at end of file
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index edce18a72e..d196f035a8 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - WindowsInkWorkspace
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 29b2de31e3..cab3989529 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - WindowsLogon
@@ -34,10 +35,10 @@ author: nickbrower
-
1
-
-
1
-
1
+
+
+
+
@@ -52,10 +53,18 @@ If you enable this policy setting, no app notifications are displayed on the loc
If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Turn off app notifications on the lock screen*
- GP name: *DisableLockScreenAppNotifications*
+- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
@@ -76,10 +85,10 @@ ADMX Info:
-
1
-
-
1
-
1
+
+
+
+
@@ -94,10 +103,18 @@ If you enable this policy setting, the PC's network connectivity state cannot be
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
- GP english name: *Do not display network selection UI*
- GP name: *DontDisplayNetworkSelectionUI*
+- GP path: *System/Logon*
- GP ADMX file name: *logon.admx*
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index ab4b3cb9d6..3086c439d8 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,6 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
+ms.date: 08/09/2017
---
# Policy CSP - WirelessDisplay
@@ -125,7 +126,7 @@ author: nickbrower
-**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
+**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
Added in Windows 10, version 1703.
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index e7cb76d8bc..3654fa873f 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
---
# SurfaceHub CSP
@@ -127,7 +127,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is char.
-**DeviceAccount/PasswordRotationPeriod**
+**DeviceAccount/PasswordRotationEnabled**
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
Valid values:
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 503965ca62..6447431681 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
---
# SurfaceHub DDF file
@@ -281,7 +281,7 @@ The XML below is the current version for this CSP.
- PasswordRotationPeriod
+ PasswordRotationEnabled
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index d905d434f9..b677cdbec2 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -45,7 +45,7 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically
An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
-Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
## ADMX files and the Group Policy Editor
@@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```XML
-
+2
@@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```XML
-
+2
@@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```
-
+1
@@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
```XML
-
+$CmdId$
@@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
```XML
-
+2
@@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
-
+2
@@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
-
+2
@@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
-
+2
@@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
-
+2
@@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
```XML
-
+2
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 06c0919533..0b67cbdc42 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# New policies for Windows 10
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index ea6eb5cda2..7a13a7bc93 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Reset a Windows 10 Mobile device
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 0d6a833f58..390d23a40e 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices, security
-localizationpriority: high
+ms.localizationpriority: high
author: AMeeus
---
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index 41e39dc306..cb11a4d0d9 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: eross-msft
ms.author: lizross
---
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index d479183398..9d2b98bf69 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerms
---
@@ -17,7 +17,11 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
## July 2017
| New or changed topic | Description |
| --- | --- |
-|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech.
+| [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
+| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
+|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
+| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
## June 2017
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0cdcbc76fc..36cb3a412a 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Changes to Group Policy settings for Windows 10 Start
@@ -55,7 +55,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
Prevent users from customizing their Start Screen
-
Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it
+
Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it
Prevent users from uninstalling applications from Start
diff --git a/windows/configuration/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md
index 93a12aba20..935f14bc0d 100644
--- a/windows/configuration/configure-devices-without-mdm.md
+++ b/windows/configuration/configure-devices-without-mdm.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Configure devices without MDM
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 7b332830bc..3e9fff0d5c 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Windows 10 taskbar
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md
index 10b155e2d8..1aec75a995 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index a1011e2397..7630406f0d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index fc46c6b7ee..61bf864982 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Send feedback about Cortana at work back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index b9b9f1f63c..bffa8f1644 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up and test Cortana with Office 365 in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index c6a9a191ca..2a3d087da8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Cortana integration in your business or enterprise
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 06a4b3cf08..5dd38b8ec8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 26579a4c9c..1eef8c58d2 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 54b801cabc..3d96f92396 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index af1b1610ae..d51d5c4c88 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 2 - Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 540ea0bb4b..b04d11d615 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index cf313aa77c..df57f9ca9d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 4 - Use Cortana at work to find your upcoming meetings
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 5df8bb1b2e..8306c2143a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 5 - Use Cortana to send email to a co-worker
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index f369b838fb..1274f67445 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 7fff5ef044..051d96937f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index fa88b44c54..070192c8e0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index def19d5939..0738115be9 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up and test custom voice commands in Cortana for your organization
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 8a06655003..bad5148d3a 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Customize and export Start layout
@@ -40,7 +40,9 @@ You can deploy the resulting .xml file to devices using one of the following met
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-## Customize the Start screen on your test computer
+
+
+## Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@@ -69,6 +71,11 @@ To prepare a Start layout for export, you simply customize the Start layout on a
- **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
- **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
+
+>[!IMPORTANT]
+>In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
+>
+>In earlier versions of Windows 10, no tile would be pinned.
## Export the Start layout
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 816c2dfba0..1313186ea4 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 3a731ffc48..544462e2ea 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -16,16 +16,16 @@ localizationpriority: medium
**Applies to**
- Windows 10
-- Windows 10 Mobile
+
>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
>[!WARNING]
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
@@ -118,10 +118,9 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
| **Data type** | **String** |
| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
- | **Value** | Paste the contents of the Start layout .xml file that you created. |
+ | **Value** | Paste the contents of the Start layout .xml file that you created. |
-
7. Click **OK** to save the setting and return to the **Create Policy** page.
8. Click **Save Policy**.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 2046f28cd5..c4a13cef3a 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Customize Windows 10 Start and taskbar with provisioning packages
@@ -16,16 +16,16 @@ localizationpriority: medium
**Applies to**
- Windows 10
-- Windows 10 Mobile
+
>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
## How Start layout control works
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index ec6199f1a5..963f69e6ae 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
ms.author: jdecker
ms.date: 06/29/2017
---
@@ -46,12 +46,11 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
-Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
+Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access.
If you use a web browser as your assigned access app, consider the following tips:
- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
-- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar.
- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 1432e34058..df0e8e3a76 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerms
---
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index 97daba286f..21d8d0d394 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: jdeckerms
---
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index fd04412683..445d25bf22 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Lock down Windows 10 to specific apps
diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
index 3d2b718c3d..0bcecb6b1a 100644
--- a/windows/configuration/lock-down-windows-10.md
+++ b/windows/configuration/lock-down-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Lock down Windows 10
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index c7ee249a2d..1477240276 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Lockdown features from Windows Embedded 8.1 Industry
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 51841c4ad0..2f2bd2b989 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,10 +6,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
-ms.date: 06/13/2017
+ms.date: 07/28/2017
---
# Manage connections from Windows operating system components to Microsoft services
@@ -81,7 +81,7 @@ See the following table for a summary of the management settings for Windows 10
| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
| [9. Live Tiles](#live-tiles) | |  | |  | |
| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | |  |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  |  | |
| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  |  |
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  | |  | |
| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
@@ -132,7 +132,7 @@ See the following table for a summary of the management settings for Windows Ser
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |
| [8. Internet Explorer](#bkmk-ie) |  |  |  | |
| [9. Live Tiles](#live-tiles) | |  |  | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | |  |  | |
| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  |  | |
| [15. OneDrive](#bkmk-onedrive) | |  | | |
| [17. Settings > Privacy](#bkmk-settingssection) | | | | |
@@ -296,7 +296,7 @@ After that, configure the following:
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
> [!NOTE]
- > This is only available on Windows 10, version 1703 and later.
+ > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client**
-or -
@@ -1690,12 +1690,11 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+ > [!NOTE]
+ > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+
-or-
-- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-
- -and-
-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index de1c017907..4485b5e7e7 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage Windows 10 and Microsoft Store tips, tricks, and suggestions
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 6f0d6a2526..d66b267355 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Manage Wi-Fi Sense in your company
diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md
index ecb327e4a5..6fe4753762 100644
--- a/windows/configuration/mobile-devices/configure-mobile.md
+++ b/windows/configuration/mobile-devices/configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerms
---
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index 054f2423b3..13c5609760 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Windows 10 Mobile using Lockdown XML
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 4c7a24ae08..98d2c703e6 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: jdeckerms
---
diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
index a3076896bb..839f23d947 100644
--- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
+++ b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Product IDs in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 07adaea24d..7da86c0ac6 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerms
---
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index e9da325a36..1885282b41 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# NFC-based device provisioning
diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md
index 3204fd85b1..1e44466908 100644
--- a/windows/configuration/mobile-devices/provisioning-package-splitter.md
+++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Barcode provisioning and the package splitter tool
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 32ff70af9b..d5aadcad3e 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index 5f5c0e2193..1a2a59eb33 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index fb967c625a..f7d4204adb 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Start layout XML for mobile editions of Windows 10 (reference)
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index f1aeed6ade..72b2e23caf 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure cellular settings for tablets and PCs
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 655266907f..b62bdf4c0b 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Introduction to configuration service providers (CSPs) for IT pros
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 8c55fb568e..859a33f7bd 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -7,7 +7,7 @@ ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Provision PCs with common settings for initial deployment (desktop wizard)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index de91fcd4cb..932bc297e9 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Provision PCs with apps and certificates for initial deployment (advanced provisioning)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 835fa8a371..e818979df8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Provision PCs with apps
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 5ff8a5efe4..c12120567c 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Apply a provisioning package
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 1204c7c83d..5eda051a35 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Configuration Designer command-line interface (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 6607c821d3..dc25ab7ceb 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Create a provisioning package for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index e5acff9568..0596ad5024 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# How provisioning works in Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index ba730bf0b5..e4bec41c89 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install Windows Configuration Designer
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 9a54b72f77..6da2cc4314 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Create a provisioning package with multivariant settings
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 3b50ac1ed9..f9d607c19c 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Provisioning packages for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 28621fa4b0..27015f653b 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# PowerShell cmdlets for provisioning Windows 10 (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index e53ee20836..e3de647451 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Use a script to install a desktop app in provisioning packages
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index fcfca68990..5cbafce644 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Settings changed when you uninstall a provisioning package
diff --git a/windows/configuration/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md
index cce5f6428b..af7765d2f8 100644
--- a/windows/configuration/set-up-a-device-for-anyone-to-use.md
+++ b/windows/configuration/set-up-a-device-for-anyone-to-use.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up a device for anyone to use (kiosk mode)
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 41b090e5e9..7a5fa6db77 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 7a88e367cf..192728ded1 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -6,7 +6,7 @@ ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up a shared or guest PC with Windows 10
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 5c1898026e..e203016bfa 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/13/2017
-localizationpriority: high
+ms.localizationpriority: high
---
# Start layout XML for desktop editions of Windows 10 (reference)
@@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
- The following example shows how to pin the Internet Explorer Windows desktop application:
+ The following example shows how to pin the File Explorer Windows desktop application:
```XML
+```
+
+
## Export Start layout and assets
@@ -53,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+
>[!TIP]
>A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
@@ -80,6 +100,94 @@ In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting,
| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets**
| **Value** | Paste the contents of the assets.xml file that you created. |
+**Example XML string value for the Start/ImportEdgeAssets policy**
+
+```
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=
+
+
+
+
+
+
+
+ iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=
+
+
+
+
+```
+
### Using a provisioning package
diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md
index cad0f022bc..87b59d4a68 100644
--- a/windows/configuration/start-taskbar-lockscreen.md
+++ b/windows/configuration/start-taskbar-lockscreen.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: jdeckerms
---
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md
index 43f1bbb647..f8b7650447 100644
--- a/windows/configuration/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-the-windows-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure access to Microsoft Store
@@ -59,10 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu
## Block Microsoft Store using Group Policy
-Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education
+Applies to: Windows 10 Enterprise, Windows 10 Education
> [!Note]
-> Not supported on Windows 10 Pro.
+> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](https://support.microsoft.com/kb/3135657).
You can also use Group Policy to manage access to Microsoft Store.
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 5fc6d0a993..10de96a306 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage Windows 10 Start and taskbar layout
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index 88a4339635..611432abea 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -5,7 +5,7 @@ keywords: privacy,Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index c68dd7afa0..f786f2f6ad 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Windows Spotlight on the lock screen
@@ -67,8 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
->[!WARNING]
-> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 27a5ebe9be..4c6db249d6 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -2,26 +2,18 @@
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-## [Windows 10 Enterprise E3 in CSP overview](windows-10-enterprise-e3-overview.md)
+
+## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
+### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
## [Deploy Windows 10](deploy.md)
+### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -74,6 +66,7 @@
##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+
#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
@@ -211,10 +204,7 @@
### [Overview of Windows as a service](update/waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
-### [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md)
-### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
-#### [Get started with Update Compliance](update/update-compliance-get-started.md)
-#### [Use Update Compliance](update/update-compliance-using.md)
+### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
@@ -233,4 +223,24 @@
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
-## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
+## Windows Analytics
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
+#### [Get started with Update Compliance](update/update-compliance-get-started.md)
+#### [Use Update Compliance](update/update-compliance-using.md)
+### [Device Health](update/device-health-monitor.md)
+#### [Get started with Device Health](update/device-health-get-started.md)
+#### [Using Device Health](update/device-health-using.md)
+
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
\ No newline at end of file
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index ca1d3c293d..291aa15115 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -4,7 +4,7 @@ description: This topic describes how to add Microsoft Store for Business applic
keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index c9b44a991f..3442d7e48a 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -64,18 +64,18 @@ The topics in this library have been updated for Windows 10, version 1703 (also
| [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New |
| [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New |
| [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New |
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) | New (previously published in other topics) |
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) |
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) |
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) |
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) |
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) |
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
| [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog |
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
## October 2016
@@ -135,5 +135,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also
## Related topics
- [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
- [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Access Protection](/windows/device-security/change-history-for-device-security)
-- [Change history for Access Protection](/windows/threat-protection/change-history-for-threat-protection)
+- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f0830b38a4..fee340161a 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -4,7 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
new file mode 100644
index 0000000000..6881363aa1
--- /dev/null
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -0,0 +1,195 @@
+---
+title: Deploy Windows 10 Enterprise licenses
+description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Deploy Windows 10 Enterprise licenses
+
+This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+
+>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+
+Also in this article:
+- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
+- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
+
+## Active Directory synchronization with Azure AD
+
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+
+
+**Figure 1. On-premises AD DS integrated with Azure AD**
+
+For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+
+- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
+- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+## Preparing for deployment: reviewing requirements
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+
+## Assigning licenses to users
+
+Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+
+
+
+The following methods are available to assign licenses:
+
+1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+2. You can sign in to portal.office.com and manually assign licenses:
+
+ 
+
+3. You can assign licenses by uploading a spreadsheet.
+4. A per-user [PowerShell scripted method](http://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
+
+## Explore the upgrade experience
+
+Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
+
+### Step 1: Join users’ devices to Azure AD
+
+Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+
+**To join a device to Azure AD the first time the device is started**
+
+1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+
+
+
+ **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+
+
+ **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+
+
+ **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
+
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+
+
+
+ **Figure 5. Connect to work or school configuration in Settings**
+
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+
+
+ **Figure 6. Set up a work or school account**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+
+
+ **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 3: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+
+
+
+
+ **Figure 9 - Windows 10 Enterprise subscription in Settings**
+
+
+If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+
+- The existing Windows 10 Pro, version 1703 operating system is not activated.
+
+- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+
+- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
+
+- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+
+- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
+
+
+
+
+
+ **Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
+
+
+
+
+
+ **Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
+
+
+
+
+
+ **Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
+
+
+### Review requirements on devices
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+
+**To determine if a device is Azure Active Directory joined:**
+
+1. Open a command prompt and type **dsregcmd /status**.
+
+2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+
+**To determine the version of Windows 10:**
+
+- At a command prompt, type:
+ **winver**
+
+ A popup window will display the Windows 10 version number and detailed OS build information.
+
+ If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e872024dd2..fddacf3a05 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
description: Changes and new features related to Windows 10 deployment
keywords: deployment, automate, tools, configure, news
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
@@ -26,13 +26,21 @@ This topic provides an overview of new solutions and online content related to d
## Windows 10 Enterprise upgrade
+Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
+
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
## Deployment solutions and tools
+### Windows AutoPilot
+
+Windows AutoPilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows AutoPilot to reset, repurpose and recover devices.
+
+Windows AutoPilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows AutoPilot](windows-10-auto-pilot.md).
+
### Upgrade Readiness
The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
@@ -55,6 +63,9 @@ Update Compliance is a solution built using OMS Logs and Analytics that provides
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
+### Device Health
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
### MBR2GPT
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 7fbd9c8386..b5a1920b19 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
keywords: settings, database, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index c253293a7e..af480bfc6a 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -5,7 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
keywords: replication, replicate, deploy, configure, remote
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index bfcbdd5e6b..ba27f0da53 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -5,7 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
keywords: rules, configuration, automate, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index c168bda59d..726a04ca82 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -5,7 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
keywords: rules, script
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index b01d3341c6..1646c5ed79 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -5,7 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
keywords: customize, customization, deploy, features, tools
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 123fe228b3..34503a310e 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
keywords: deploy, upgrade, task sequence, install
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 128b74d5b1..e5e8d59bf7 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -5,7 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
- 2. Select the operating system for which roles are to be installed: Windows 8.1
+ 2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
**Important**
@@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
### Update the deployment share
-After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
+After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
@@ -566,7 +566,7 @@ SkipFinalSummary=YES
The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **JoinWorkgroup.** Configures Windows to join a workgroup.
-- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
+- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7249255dfd..f98e4c4744 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: deployment, automate, tools, configure
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index def335f1b1..ea7feeecfa 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
ms.pagetype: mdt
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index b27fa998b0..a954a1ef62 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
index 859c8043e2..84f0f4a09e 100644
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.pagetype: mdt
keywords: deploy, image, customize, task sequence
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
index b7b5b506bc..7cef6c1c1c 100644
--- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: deploy, feature, tools, upgrade, migrate, provisioning
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
index f4e26d87e0..c681e75dfc 100644
--- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
+++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
@@ -5,7 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: deploy, install, deployment, boot, log, monitor
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 31098f8dce..7aa852d395 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: deploy, system requirements
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index b2f30e6e6d..f142ee7e3f 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -5,7 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index aeae4e9b05..88573ebf1d 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -5,7 +5,7 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
keywords: deploy, deployment, replace
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 48879c632c..9f0765935d 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -5,7 +5,7 @@ description:
keywords: disk, encryption, TPM, configure, secure, script
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 815df1eb56..aa93bb9261 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -5,7 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
keywords: deploy, script
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 7b7aedc7f7..8b4ca7e777 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
keywords: web services, database
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 8c3f5e61f8..7a24e08ad7 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -6,7 +6,7 @@ ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 73848f2618..3dea162597 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
keywords: deploy, web apps
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index e98fea9e6f..35bf254314 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
keywords: image, deploy, distribute
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 275852e418..c7900eb237 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
keywords: deploy, task sequence
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 8bc4b7fb7e..162a079354 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
keywords: tool, customize, deploy, boot image
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 2ecea45145..ad81044f04 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
keywords: deployment, task sequence, custom, customize
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index bfbb8af872..16a4af055b 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
keywords: deployment, image, UEFI, task sequence
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 95c5db41d0..dd501cd667 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -4,7 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
keywords: deployment, custom, boot
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index d7f678277e..52181700d5 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
keywords: configure, deploy, upgrade
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index 770ff5a251..efc87d2fab 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
keywords: deploy, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 2b6360a89e..f005cca535 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic will walk you through the process of integrating Microso
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
keywords: install, configure, deploy, deployment
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index e872322669..1bd55885aa 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
keywords: upgrade, install, installation, computer refresh
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 4ff7b936bf..d77f096553 100644
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
keywords: upgrade, install, installation, replace computer, setup
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 429f29de1a..aa4243f2cf 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -5,7 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: greg-lindsay
---
diff --git a/windows/deployment/images/al01.png b/windows/deployment/images/al01.png
new file mode 100644
index 0000000000..b779b59ac9
Binary files /dev/null and b/windows/deployment/images/al01.png differ
diff --git a/windows/deployment/images/al02.png b/windows/deployment/images/al02.png
new file mode 100644
index 0000000000..6d2216a377
Binary files /dev/null and b/windows/deployment/images/al02.png differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 1705124e4a..7d139ec69e 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -5,7 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: greg-lindsay
---
@@ -17,8 +17,8 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
|------|------------|
|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 Enterprise E3 in CSP overview](deploy-whats-new.md) |Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. |
-|[Resolve Windows 10 upgrade errors](windows-10-enterprise-e3-overview.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+|[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
+|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
## Deploy Windows 10
@@ -27,6 +27,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|Topic |Description |
|------|------------|
+|[Overview of Windows AutoPilot](windows-10-auto-pilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 1cc9702d45..c87802238e 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
---
# MBR2GPT.EXE
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
index ec9afa1603..a86caa380f 100644
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
@@ -75,7 +75,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
## Related topics
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10.md)
+[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 2448b16d8b..dc4c8029ca 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, configure
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
author: TrudyHa
---
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 2ce0b1abdd..9768a7c1f6 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, appcompat
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 9ddd7ab954..a9cee6bc13 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -4,7 +4,7 @@ description: There are new deployment options in Windows 10 that help you simpl
ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
keywords: deploy, upgrade, update, in-place
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: plan
ms.sitesec: library
author: mtniehaus
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 60a48fef2f..69ba2f2170 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -4,7 +4,7 @@ description: Get answers to common questions around compatibility, installation,
keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
ms.prod: w10
ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author:
---
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index f886d6391f..a99af27a4e 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -5,7 +5,7 @@ ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
keywords: deploy, upgrade, update, hardware
ms.prod: w10
ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 3af0220b18..8051af1421 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
ms.author: daniha
-ms.date: 05/16/2017
+ms.date: 07/27/2017
---
# Change history for Update Windows 10
@@ -15,6 +15,10 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## July 2017
+
+All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
+
## May 2017
| New or changed topic | Description |
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
new file mode 100644
index 0000000000..eaf38c75d5
--- /dev/null
+++ b/windows/deployment/update/device-health-get-started.md
@@ -0,0 +1,180 @@
+---
+title: Get started with Device Health
+description: Configure Device Health in OMS to see statistics on frequency and causes of crashes of devices in your network.
+keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Get started with Device Health
+
+This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health.
+
+Steps are provided in sections that follow the recommended setup process:
+1. Ensure that [prerequisites](#device-health-prerequisites) are met.
+2. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices and set the telemetry level) to your organization’s devices.
+
+## Device Health prerequisites
+
+Device Health has the following requirements:
+1. Device Health is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
+2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
+
+>[!NOTE]
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for steps to exclude authentication for these endpoints.
+
+
+## Add Device Health to Microsoft Operations Management Suite
+
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace.
+
+**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
+
+1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+ [](images/uc-02.png)
+
+
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+ [](images/uc-03.png)
+
+
+3. Create a new OMS workspace.
+
+ [](images/uc-04.png)
+
+4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+
+ [](images/uc-05.png)
+
+5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+
+ [](images/uc-06.png)
+
+6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page.
+
+ [](images/uc-08.png)
+
+7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens.
+
+ [](images/uc-09.png)
+
+
+
+After you have added Device Health and devices have a Commercial ID, you will begin receiving data. It will typically take 24-48 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+
+>[!NOTE]
+>You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
+
+## Deploy your Commercial ID to your Windows 10 devices and set the telemetry level
+
+In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
+
+- Using Group Policy
+ Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
+ 1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
+ 2. Double-click **Configure the Commercial ID**
+ 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.
+
+- Using Microsoft Mobile Device Management (MDM)
+Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
+
+## Perform checks to ensure and verify successful deployment
+
+While you're waiting for the initial data to populate, there are some configuration details it's worth confirming to ensure that the necessary data connections are set up properly.
+
+### Check for disabled Windows Error Reporting (WER)
+
+If WER is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
+
+Check these Registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
+
+- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+
+If you need further information on Windows Error Reporting (WER) settings, see [WER Settings](https://msdn.microsoft.com/library/windows/desktop/bb513638(v=vs.85).aspx).
+
+
+### Endpoint connectivity
+
+Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic.
+
+>[!NOTE]
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about telemetry endpoints and how to manage them, see [Configure Windows telemetry in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization).
+
+If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
+
+Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required).
+
+To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*:
+
+```powershell
+
+$endPoints = @(
+ 'v10.vortex-win.data.microsoft.com'
+ 'settings-win.data.microsoft.com'
+ 'watson.telemetry.microsoft.com'
+ 'oca.telemetry.microsoft.com'
+ 'vortex.data.microsoft.com'
+ )
+
+$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+
+```
+
+If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
+
+```powershell
+
+[scriptblock]$accessTest = {
+ $endPoints = @(
+ 'v10.vortex-win.data.microsoft.com'
+ 'settings-win.data.microsoft.com'
+ 'watson.telemetry.microsoft.com'
+ 'oca.telemetry.microsoft.com'
+ 'vortex.data.microsoft.com'
+ )
+
+ $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+}
+
+$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
+$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
+$accessTest.ToString() > $scriptFullPath
+$null > $outputFileFullPath
+$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`""
+$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
+$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
+Start-Sleep -Seconds 120
+Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
+Get-Content $outputFileFullPath
+
+```
+
+As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+
+
+
+
+
+
+## Related topics
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
new file mode 100644
index 0000000000..f620c80953
--- /dev/null
+++ b/windows/deployment/update/device-health-monitor.md
@@ -0,0 +1,65 @@
+---
+title: Monitor the health of devices with Device Health
+description: You can use Device Health in OMS to monitor the frequency and causes of crashes and misbehaving apps on devices in your network.
+keywords: oms, operations management suite, wdav, health, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Monitor the health of devices with Device Health
+
+## Introduction
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity.
+
+Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This preview release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health (preview) from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+
+
+Device Health provides the following:
+
+- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 telemetry
+
+See the following topics in this guide for detailed information about configuring and using the Device Health solution:
+
+- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment.
+- [Using Device Health](device-health-using.md): How to begin using Device Health.
+
+An overview of the processes used by the Device Health solution is provided below.
+
+## Device Health architecture
+
+The Device Health architecture and data flow is summarized by the following five-step process:
+
+
+
+**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.
+**(2)** Telemetry data is analyzed by the Microsoft Telemetry Service.
+**(3)** Telemetry data is pushed from the Microsoft Telemetry Service to your OMS workspace.
+**(4)** Telemetry data is available in the Device Health solution.
+**(5)** You are now able to proactively monitor Device Health issues in your environment.
+
+These steps are illustrated in following diagram:
+
+ [](images/analytics-architecture.png)
+
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+
+
+
+
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
new file mode 100644
index 0000000000..9fa09d1431
--- /dev/null
+++ b/windows/deployment/update/device-health-using.md
@@ -0,0 +1,170 @@
+---
+title: Using Device Health
+description: Explains how to begin usihg Device Health.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Using Device Health
+
+This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash.
+
+
+Device Health provides IT Pros with reports on some common problems that users might experience so that they can be proactively remediated. This decreases support calls and improves productivity.
+
+Device Health provides the following benefits:
+
+- Identification of devices that crash frequently and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+
+
+>[!NOTE]
+>Information is refreshed daily so that health status can be monitored. Changes will be displayed about 24-48 hours after their occurrence, so you always have a recent snapshot of your devices.
+
+In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
+
+
+## Device Reliability
+
+- [Frequently Crashing Devices](#frequently-crashing-devices)
+- [Driver-Induced OS Crashes](#driver--induced-OS-crashes)
+
+
+
+### Frequently Crashing Devices
+
+This middle blade in Device Reliability displays the devices that have crashed the most often in the last week. This can help you identify unhealthy devices that might need to be rebuilt or replaced.
+
+See the following example:
+
+
+
+
+Clicking the header of the Frequently Crashing Devices blade opens a reliability perspective view, where you can filter data (by using filters in the left pane), see trends, and compare to commercial averages:
+
+
+
+"Commercial averages" here refers to data collected from deployments with a mix of operating system versions and device models that is similar to yours. If your crash rate is higher, there are opportunities for improvement, for example by moving to newer driver versions.
+
+Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter.
+
+>[!NOTE]
+>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate.
+
+>[!TIP]
+>Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.”
+
+
+If you click through a particular device from the view blade or from the Device Reliability perspective, it will take you to the Crash History perspective for that device.
+
+
+
+This displays device records sorted by date and crash details by failure ID, also sorted by date. In this view are a number of useful items:
+
+- Crash history records by date, aggregated by Failure ID. The Failure ID is an internal number that is used to group crashes that are related to each other. Eventually over time, you can use the Failure ID to provide additional info. If a crash was caused by driver, some driver fields will also be populated.
+
+- StopCode: this is hex value that would be displayed on a bluescreen if you were looking directly at the affected device.
+
+- Count: the number times that particular Failure ID has occurred on that specific device *on that date*.
+
+
+
+
+### Driver-Induced OS Crashes
+
+This blade (on the right) displays drivers that have caused the most devices to crash in the last two weeks. If your crash rate is high, you can reduce the overall operating system crashes in your deployment by upgrading those drivers with a high crash rate.
+
+
+
+
+Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver perspective view, which shows the details for the responsible driver, trends and commercial averages for that driver, and alternative versions of the driver.
+
+
+
+
+The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
+
+
+
+
+
+## Windows Information Protection
+
+
+Windows Information Protection (WIP) helps protect work data from accidental sharing. Users might be disrupted if WIP rules are not aligned with real work behavior. WIP App Learning shows which apps on which computers are attempting to cross policy boundaries.
+
+For details about deploying WIP policies, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules, for example by confirming that certain apps are allowed or disallowed by current policy.
+
+
+
+
+
+Clicking through the **APP LEARNING** tile shows details of app statistics that you can use to explore each incident and update app policies by using AppLocker or WIP AppIDs.
+
+
+
+In this chart view, you can click a particular app listing, which will open additional details on the app in question, including details you need to adjust your Windows Information Protection Policy:
+
+
+
+Here you can copy the WipAppid and use that for adjusting the WIP policy.
+
+## Data model and OMS built-in extensibility
+
+All of the views and blades display slices of the most useful data by using pre-formed queries. You have access to the full set of data collected by Device Health, which means you can construct your own queries to expose any data that is of interest to you. For documentation on working with log searches, see [Find data using log searches](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). This topic section provides information about the data types being populated specifically by Device Health.
+
+### Example queries
+
+You can run these queries from the OMS **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of:
+
+- After running a query, make sure to set the date range (which appears upper left after running initial query) to "7 days" to ensure you get data back.
+- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the OMS workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist).
+- If you use the search filters in the left pane, you might notice there is no control to undo a filter selection. To undo a selection, delete the (FilterName="FilterValue") element that is appended to the search query and then click the search button again. For example, after you run a base query of *Type = DHOSReliability KernelModeCrashCount > 0*, a number of filter options appear on the left. If you then filter on **Manufacturer** (for example, by setting *Manufacturer="Microsoft Corporation"* and then clicking **Apply**), the query will change to *Type = DHOSReliability KernelModeCrashCount > 0 (Manufacturer="Microsoft Corporation")*. Delete *(Manufacturer="Microsoft Corporation")* and then click the **search** button again to re-run the query without that filter.
+
+### Device reliability query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Total devices| Type = DHOSReliability \| measure countdistinct(ComputerID) by Type|
+|Number of devices that have crashed in the last three weeks| Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels).| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table|
+|As above, but sorted by device manufacturer| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table|
+|As above, but sorted by model| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table|
+|As above, but sorted by operating system version| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table|
+|Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart|
+|Table of devices that have crashed the most in the last two weeks| Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table|
+|Detailed crash records, most recent first| Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table|
+|Number of devices that crashed due to drivers| Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Table of drivers that have caused the most devices to crash| Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table|
+|Trend of devices crashed by driver by day| * Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName | top 5} \| measure countdistinct(ComputerID) as NumberDevices by DriverName interval 1day|
+|Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices| Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table|
+|Top crashes by FailureID| Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table|
+
+### Windows Information Protection (WIP) App Learning query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names)| Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName|
+|Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change| Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" | measure countdistinct(ComputerID) as ComputerCount interval 1day|
+
+### Exporting data and configuring alerts
+
+OMS enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
+
+
+
+
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/images/WIP-detail.png b/windows/deployment/update/images/WIP-detail.png
new file mode 100644
index 0000000000..96b0a90280
Binary files /dev/null and b/windows/deployment/update/images/WIP-detail.png differ
diff --git a/windows/deployment/update/images/WIP.png b/windows/deployment/update/images/WIP.png
new file mode 100644
index 0000000000..ee7f30c014
Binary files /dev/null and b/windows/deployment/update/images/WIP.png differ
diff --git a/windows/deployment/update/images/WIP2-sterile.png b/windows/deployment/update/images/WIP2-sterile.png
new file mode 100644
index 0000000000..7cc35cde75
Binary files /dev/null and b/windows/deployment/update/images/WIP2-sterile.png differ
diff --git a/windows/deployment/update/images/WIP2.PNG b/windows/deployment/update/images/WIP2.PNG
new file mode 100644
index 0000000000..87255177e0
Binary files /dev/null and b/windows/deployment/update/images/WIP2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png
new file mode 100644
index 0000000000..eb2cabdcfd
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW1.PNG b/windows/deployment/update/images/WIPNEW1.PNG
new file mode 100644
index 0000000000..29e14d5411
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW2-sterile.png b/windows/deployment/update/images/WIPNEW2-sterile.png
new file mode 100644
index 0000000000..1ee1148c8f
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW2.PNG b/windows/deployment/update/images/WIPNEW2.PNG
new file mode 100644
index 0000000000..af7a8c84b7
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png
new file mode 100644
index 0000000000..5efc5250c1
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN.PNG b/windows/deployment/update/images/WIPNEWMAIN.PNG
new file mode 100644
index 0000000000..b56da2b409
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN.PNG differ
diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png
new file mode 100644
index 0000000000..43bad68ed0
Binary files /dev/null and b/windows/deployment/update/images/WIPappID-sterile.png differ
diff --git a/windows/deployment/update/images/WIPappID.PNG b/windows/deployment/update/images/WIPappID.PNG
new file mode 100644
index 0000000000..49ea2bc99c
Binary files /dev/null and b/windows/deployment/update/images/WIPappID.PNG differ
diff --git a/windows/deployment/update/images/WIPmain.PNG b/windows/deployment/update/images/WIPmain.PNG
new file mode 100644
index 0000000000..adb905255d
Binary files /dev/null and b/windows/deployment/update/images/WIPmain.PNG differ
diff --git a/windows/deployment/update/images/analytics-architecture.png b/windows/deployment/update/images/analytics-architecture.png
new file mode 100644
index 0000000000..1b537c1c9b
Binary files /dev/null and b/windows/deployment/update/images/analytics-architecture.png differ
diff --git a/windows/deployment/update/images/app-detail.png b/windows/deployment/update/images/app-detail.png
new file mode 100644
index 0000000000..c06ced4864
Binary files /dev/null and b/windows/deployment/update/images/app-detail.png differ
diff --git a/windows/deployment/update/images/app-health-dashboard.png b/windows/deployment/update/images/app-health-dashboard.png
new file mode 100644
index 0000000000..d8daee44ed
Binary files /dev/null and b/windows/deployment/update/images/app-health-dashboard.png differ
diff --git a/windows/deployment/update/images/crash-hang-detail.png b/windows/deployment/update/images/crash-hang-detail.png
new file mode 100644
index 0000000000..3a6447329c
Binary files /dev/null and b/windows/deployment/update/images/crash-hang-detail.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png
new file mode 100644
index 0000000000..1619d8bf70
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile-sterile.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile.png b/windows/deployment/update/images/dev-health-main-tile.png
new file mode 100644
index 0000000000..850b558512
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile.png differ
diff --git a/windows/deployment/update/images/device-crash-history.png b/windows/deployment/update/images/device-crash-history.png
new file mode 100644
index 0000000000..69f98f1d67
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history.png differ
diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png
new file mode 100644
index 0000000000..18056ed801
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2-sterile.png differ
diff --git a/windows/deployment/update/images/device-crash-history2.PNG b/windows/deployment/update/images/device-crash-history2.PNG
new file mode 100644
index 0000000000..646afb4091
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2.PNG differ
diff --git a/windows/deployment/update/images/device-reliability.png b/windows/deployment/update/images/device-reliability.png
new file mode 100644
index 0000000000..af8bb1d247
Binary files /dev/null and b/windows/deployment/update/images/device-reliability.png differ
diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png
new file mode 100644
index 0000000000..28fbf3725b
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2-sterile.png differ
diff --git a/windows/deployment/update/images/device-reliability2.PNG b/windows/deployment/update/images/device-reliability2.PNG
new file mode 100644
index 0000000000..9af6d971b0
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2.PNG differ
diff --git a/windows/deployment/update/images/driver-deeper-detail.png b/windows/deployment/update/images/driver-deeper-detail.png
new file mode 100644
index 0000000000..0437e555a1
Binary files /dev/null and b/windows/deployment/update/images/driver-deeper-detail.png differ
diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png
new file mode 100644
index 0000000000..7dcd86366f
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-1.PNG b/windows/deployment/update/images/driver-detail-1.PNG
new file mode 100644
index 0000000000..deeb998493
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1.PNG differ
diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png
new file mode 100644
index 0000000000..e5fa480c3e
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-2.PNG b/windows/deployment/update/images/driver-detail-2.PNG
new file mode 100644
index 0000000000..71f16697f5
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2.PNG differ
diff --git a/windows/deployment/update/images/driver-detail.png b/windows/deployment/update/images/driver-detail.png
new file mode 100644
index 0000000000..ab391f5adb
Binary files /dev/null and b/windows/deployment/update/images/driver-detail.png differ
diff --git a/windows/deployment/update/images/health-summary.png b/windows/deployment/update/images/health-summary.png
new file mode 100644
index 0000000000..906b0a2189
Binary files /dev/null and b/windows/deployment/update/images/health-summary.png differ
diff --git a/windows/deployment/update/images/login-health-detail-faillure.png b/windows/deployment/update/images/login-health-detail-faillure.png
new file mode 100644
index 0000000000..10b59a01d0
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail-faillure.png differ
diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png
new file mode 100644
index 0000000000..2d3871fc42
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail.png differ
diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png
new file mode 100644
index 0000000000..fd4f6740bd
Binary files /dev/null and b/windows/deployment/update/images/login-health.png differ
diff --git a/windows/deployment/update/images/reliability-perspective.png b/windows/deployment/update/images/reliability-perspective.png
new file mode 100644
index 0000000000..58e812dafa
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective.png differ
diff --git a/windows/deployment/update/images/reliability-perspective2.PNG b/windows/deployment/update/images/reliability-perspective2.PNG
new file mode 100644
index 0000000000..978cacc4f5
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective2.PNG differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 4d6601fda8..01404a9781 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index e284dc274b..98db5c9f8c 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Configure BranchCache for Windows 10 updates
@@ -53,7 +54,7 @@ In addition to these steps, there is one requirement for WSUS to be able to use
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index b41a060c96..d71fba917a 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Configure Windows Update for Business
@@ -19,6 +20,11 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
>[!IMPORTANT]
@@ -36,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl
## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches).
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
**Release branch policies**
@@ -257,7 +263,7 @@ In the Windows Update for Business policies in version 1511, all the deferral ru
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index e15cd39494..2b77126ecf 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Configure Delivery Optimization for Windows 10 updates
@@ -204,7 +205,7 @@ On devices that are not preferred, you can choose to set the following policy to
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index f8a51fb650..224da4899d 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Build deployment rings for Windows 10 updates
@@ -29,35 +30,30 @@ Table 1 provides an example of the deployment rings you might use.
**Table 1**
-| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release |
-| --- | --- | --- |
-| Preview | Windows Insider | Pre-CB |
-| Ring 1 Pilot IT | CB | CB + 0 weeks |
-| Ring 2 Pilot business users | CB | CB + 4 weeks |
-| Ring 3 Broad IT | CB | CB + 6 weeks |
-| Ring 4 Broad business users | CBB | CBB + 0 weeks |
-| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints |
+| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
+| --- | --- | --- | --- | --- |
+| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
+| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment |
+| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
+| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
>[!NOTE]
->In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates.
+>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates.
>
->Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+>Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
-As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
-
-
-
+As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
## Steps to manage updates for Windows 10
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | Build deployment rings for Windows 10 updates (this topic) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 294a8ed333..24c89c24be 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Integrate Windows Update for Business with management solutions
@@ -97,7 +98,7 @@ For Windows 10, version 1607, organizations already managing their systems with
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 13e614dbf4..0fdb3289c7 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Deploy Windows 10 updates using System Center Configuration Manager
@@ -17,7 +18,12 @@ ms.author: daniha
- Windows 10
- Windows 10 Mobile
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
@@ -292,10 +298,10 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
@@ -310,7 +316,7 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index f9cc0b2feb..765051754a 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -18,6 +18,11 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
@@ -322,10 +327,10 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -337,7 +342,7 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2c33b3ad01..7391b7bb5e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -19,6 +19,11 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
Specifically, Windows Update for Business allows for:
@@ -75,7 +80,7 @@ The pause period is now calculated starting from the set start date. For additio
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
>[!NOTE]
->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-branches).
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
@@ -102,10 +107,10 @@ For more information about Update Compliance, see [Monitor Windows Updates using
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | Deploy updates using Windows Update for Business (this topic) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -114,7 +119,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index 35ed31ba72..9234f54996 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -20,14 +20,19 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
| Windows 10 edition | CB | CBB | Insider Program |
| --- | --- | --- | --- | --- |
| Mobile |  |  |  |
@@ -68,7 +73,7 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index f6ff84324d..899f98788b 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -47,7 +47,10 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
## Express update delivery
-Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+
+>[!NOTE]
+>Currently, Express update delivery only applies to quality update downloads.
### How Microsoft supports Express
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
@@ -83,10 +86,10 @@ At this point, the download is complete and the update is ready to be installed.
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this topic) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index b1034016b5..fac84472ae 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Overview of Windows as a service
@@ -22,7 +23,7 @@ ms.author: daniha
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
-
+
## Building
@@ -56,11 +57,22 @@ Device compatibility in Windows 10 is also very strong; new hardware is not need
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month.
-With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing channels are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing channels comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing channels and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
-To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
+To align with this new update delivery model, Windows 10 has three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing channels available in Windows 10, see [Servicing channels](#servicing-channels).
+
+### Naming changes
+
+As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
+* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel".
+* Long-Term Servicing Channel - The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
+
+>[!NOTE]
+>For additional information, see the section about [Servicing Channels](#servicing-channels).
+>
+>You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change.
### Feature updates
@@ -72,9 +84,9 @@ With Windows 10, Microsoft will package new features into feature updates that c
### Quality updates
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
**Figure 1**
@@ -82,60 +94,58 @@ In Windows 10, rather than receiving several updates each month and trying to fi
-## Servicing branches
+## Servicing channels
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
>[!NOTE]
->Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+>Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
+### Semi-Annual Channel
-### Current Branch
+In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing modal is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
+Once the latest release went through pilot deployment and testing, you choose the timing at which it goes into broad deployment.
-In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
-
-When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-
-
- ### Current Branch for Business
-
-Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Each feature update release will be supported and updated for 18 months from the time of its release.
+When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
>[!NOTE]
->Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+>Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
-Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back.
+### Long-term Servicing Channel
-### Long-term Servicing Branch
-
-Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
>[!NOTE]
->LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
+>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+>
+>Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
>[!NOTE]
>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
-LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices. Since Windows Store client is not available in Windows 10 Enterprise LTSB, if you need to run a Windows Store app, you should not use Windows 10 LTSB on that device.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices.
>[!NOTE]
->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
+>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
### Windows Insider
-For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
+For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next Semi-Annual Channel release. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
>[!NOTE]
>Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
>
->The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+>The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
@@ -143,8 +153,8 @@ Microsoft recommends that all organizations have at least a few PCs enrolled in
There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
-- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
@@ -159,16 +169,19 @@ With all these options, which an organization chooses depends on the resources,
| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
+>[!NOTE]
+>Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+
## Steps to manage updates for Windows 10
| | |
| --- | --- |
-|  | Learn about updates and servicing branches (this topic) |
+|  | Learn about updates and servicing channels (this topic) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
@@ -185,12 +198,4 @@ With all these options, which an organization chooses depends on the resources,
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
-
-
-
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 3a5f929896..8b85bf57aa 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -5,8 +5,9 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
# Quick guide to Windows as a service
@@ -26,20 +27,22 @@ Some new terms have been introduced as part of Windows as a service, so you shou
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
-- **Servicing channels** allow organizations to choose when to deploy new features. The Semi-Annual Channel receives feature updates twice per year. The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+- **Servicing channels** allow organizations to choose when to deploy new features.
+ - The **Semi-Annual Channel** receives feature updates twice per year.
+ - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
-Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
+Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
-See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
+See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
## Staying up to date
@@ -55,7 +58,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Video: An overview of Windows as a service
-
+
## Learn more
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 15b695c9ad..807d2f4a3d 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 07/05/2017
---
diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
similarity index 75%
rename from windows/deployment/update/waas-servicing-branches-windows-10-updates.md
rename to windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 43aade46a5..dd5cbaf8b7 100644
--- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,15 +1,16 @@
---
-title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
+title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
+ms.date: 07/27/2017
---
-# Assign devices to servicing branches for Windows 10 updates
+# Assign devices to servicing channels for Windows 10 updates
**Applies to**
@@ -20,11 +21,13 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
+>
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
-Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10.
+Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10.
-| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
+| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- | --- |
| Home |  |  |  |  |
| Pro |  |  |  |  |
@@ -40,7 +43,12 @@ Current Branch is the default servicing branch for all Windows 10 devices except
>[!NOTE]
>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-## Assign devices to Current Branch for Business
+## Assign devices to Semi-Annual Channel
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
**To assign a single PC locally to CBB**
@@ -96,7 +104,7 @@ Enrolling devices in the Windows Insider Program is simple and requires only a M
After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select.
The options for Insider level are:
-- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
- **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
- **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.
@@ -110,9 +118,9 @@ To prevent devices in your enterprise from being enrolled in the Insider Program
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
-## Switching branches
+## Switching channels
-During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
@@ -122,63 +130,63 @@ During the life of a device, it may be necessary or desirable to switch between
-
From this branch
-
To this branch
+
From this channel
+
To this channel
You need to
Windows Insider Program
-
Current Branch
-
Wait for the final Current Branch release.
+
Semi-Annual Channel (Targeted)
+
Wait for the final Semi-Annual Channel release.
-
Current Branch for Business
-
Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.
+
Semi-Annual Channel
+
Not directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.
-
Long-Term Servicing Branch
+
Long-Term Servicing Channel
Not directly possible (requires wipe-and-load).
-
Current Branch
+
Semi-Annual Channel (Targeted)
Insider
Use the Settings app to enroll the device in the Windows Insider Program.
-
Current Branch for Business
-
Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
+
Semi-Annual Channel
+
Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.
-
Long-Term Servicing Branch
+
Long-Term Servicing Channel
Not directly possible (requires wipe-and-load).
-
Current Branch for Business
+
Semi-Annual Channel
Insider
Use the Settings app to enroll the device in the Windows Insider Program.
-
Current Branch
-
Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Branch release.
+
Semi-Annual Channel (Targeted)
+
Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.
-
Long-Term Servicing Branch
+
Long-Term Servicing Channel
Not directly possible (requires wipe-and-load).
-
Long-Term Servicing Branch
+
Long-Term Servicing Channel
Insider
Use media to upgrade to the latest Windows Insider Program build.
-
Current Branch
-
Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
+
Long-Term Servicing Channel (Targeted)
+
Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.)
-
Current Branch for Business
-
Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
+
Long-Term Servicing Channel
+
Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build.
@@ -195,10 +203,10 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | Assign devices to servicing branches for Windows 10 updates (this topic) |
+|  | Assign devices to servicing channels for Windows 10 updates (this topic) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index a53ddfc63c..c6cd1ca434 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -27,19 +27,21 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
-- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
+- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-annual Channel. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
>[!NOTE]
>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+>
+>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2. **Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
@@ -47,10 +49,10 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
| | |
| --- | --- |
-|  | [Learn about updates and servicing branches](waas-overview.md) |
+|  | [Learn about updates and servicing channels](waas-overview.md) |
|  | Prepare servicing strategy for Windows 10 updates (this topic) |
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md
index 9b9ebc28ce..9f3bfed774 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-aad.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-aad.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md
index 4ad1cd7e3f..7115a9f6d5 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-faq.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-faq.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index 4a57a47307..333ee70f35 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 006e2e91e3..8e83c58fd6 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
ms.date: 05/16/2017
---
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 5833d568ae..139a173b93 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -18,6 +18,11 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
@@ -339,7 +344,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 8375a45ceb..5faa58e16a 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
ms.author: daniha
---
@@ -19,6 +19,11 @@ ms.author: daniha
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
@@ -262,7 +267,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 7df51a183e..81aed1c722 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
---
# Resolve Windows 10 upgrade errors : Technical information for IT Pros
@@ -686,9 +686,13 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
Mitigation
-[Analyze log files](#analyze-log-files) in order to determine the files that are blocking data migration.
+[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration.
-Note: This error can occur if Active Directory integrated user accounts exist on the computer, but these accounts are no longer present in Active Directory. To repair this error, delete the invalid accounts from the **Users** directory on the local computer and restart the upgrade process.
+This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory.
+
+Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
+
+To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index fa59c94780..c3ef73e060 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -13,11 +13,11 @@ author: greg-lindsay
To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
>[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
-> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
The Upgrade Readiness deployment script does the following:
@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
To run the Upgrade Readiness deployment script:
-1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
2. Edit the following parameters in RunConfig.bat:
@@ -66,7 +66,7 @@ To run the Upgrade Readiness deployment script:
\*vortex\*.data.microsoft.com
\*settings\*.data.microsoft.com
-5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@@ -81,7 +81,7 @@ The deployment script displays the following exit codes to let you know if it wa
1 - Unexpected error occurred while executiEng the script.
-
The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
+
The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
2 - Error when logging to console. $logMode = 0. (console only)
@@ -132,15 +132,16 @@ The deployment script displays the following exit codes to let you know if it wa
13 - Can’t connect to Microsoft - setting.
-
An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details.
+14
14 - Can’t connect to Microsoft - compatexchange.
-
An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
+
An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).
15 - Function CheckVortexConnectivity failed with an unexpected exception.
-
This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
+
This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.
16 - The computer requires a reboot before running the script.
@@ -196,10 +197,10 @@ The deployment script displays the following exit codes to let you know if it wa
29 - Connectivity check failed for proxy authentication.
-
Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+
Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled).
- For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
+ For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).
30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.
@@ -209,7 +210,7 @@ The deployment script displays the following exit codes to let you know if it wa
31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer.
-
Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
+
Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
32 - Appraiser version on the machine is outdated.
@@ -217,7 +218,7 @@ The deployment script displays the following exit codes to let you know if it wa
33 - **CompatTelRunner.exe** exited with an exit code
-
**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.
+
**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.
34 - Function **CheckProxySettings** failed with an unexpected exception.
@@ -278,7 +279,49 @@ The deployment script displays the following exit codes to let you know if it wa
48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.
-
**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
+
**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
+
+
+
50 - Diagtrack Service is not running.
+
Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service.
+
+
+
51 - RunCensus failed with an unexpected exception.
+
RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details.
+
+
+
52 - DeviceCensus.exe not found on a Windows 10 machine.
+
On computers running Windows 10, the process devicecensus.exe should be present in the \system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location.
+
+
+
53 - There is a different CommercialID present at the GPO path: "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection". This will take precedence over the CommercialID provided in the script.
+
Provide the correct CommercialID at the GPO location.
+>[!NOTE]
+>**Additional steps to follow if you receive exit code 33**
+
+>Check the exit code for any of these messages:
+>
+>- CompatTelRunner.exe exited with last error code: 0x800703F1
+>- CompatTelRunner.exe exited with last error code: 0x80070005
+>- CompatTelRunner.exe exited with last error code: 0x80080005
+>
+>
+>If the exit code includes any of those messages, then run these commands from an elevated command prompt:
+>
+>1. Net stop diagtrack
+>2. Net stop pcasvc
+>3. Net stop dps
+>4. Del %windir%\appcompat\programs\amcache.hve
+>5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
+>6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
+>7. Net start diagtrack
+>8. Net start pcasvc
+>9. Net start dps
+>
+>Then run the Enterprise Config script (RunConfig.bat) again.
+>
+>If the script still fails, then send mail to **uasupport@microsoft.com** including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
+
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 937be3b7e3..8681080388 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated.
- Schedule monthly user computer scans to view monthly active computer and usage information.
->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index eb98ebd2cf..687130e800 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
-Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
+Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB.
## Operations Management Suite
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 16a4afb7a6..f0e227a621 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -4,7 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
ms.mktglfcycl: deploy
author: mtniehaus
---
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 1f11512559..85e7a02389 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
index 311e03efba..1a3d373bbe 100644
--- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
@@ -4,7 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: Jamiejdt
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index c42d403a33..e98e9e3167 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -4,7 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 195aaaa374..7b48b01727 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -4,7 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
---
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
new file mode 100644
index 0000000000..4954192798
--- /dev/null
+++ b/windows/deployment/vda-subscription-activation.md
@@ -0,0 +1,92 @@
+---
+title: Configure VDA for Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Configure VDA for Windows 10 Subscription Activation
+
+<<<<<<< HEAD
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
+=======
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
+
+## Requirements
+
+- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
+- VMs must be Active Directory-joined or Azure Active Directory-joined.
+- VMs must be generation 1.
+- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+## Active Directory-joined VMs
+
+1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
+2. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+
+ ```
+ REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+ ```
+
+3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
+5. Click **Add**, type **Authenticated users**, and then click **OK** three times.
+6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd).
+7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+8. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
+ - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
+10. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
+11. On the Set up network page, choose **Off**.
+12. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+ - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+13. On the Add applications page, add applications if desired. This step is optional.
+14. On the Add certificates page, add certificates if desired. This step is optional.
+15. On the Finish page, click **Create**.
+16. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
+17. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
+
+ ```
+ Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
+ ```
+18. Right-click the mounted image in file explorer and click **Eject**.
+19. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
+
+## Azure Active Directory-joined VMs
+
+>[!IMPORTANT]
+>Azure Active Directory (Azure AD) provisioning packages have a 30 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 30 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated.
+
+For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
+- In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
+- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below.
+
+To create custom RDP settings for Azure:
+
+1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
+2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it.
+3. Close the Remote Desktop Connection window and open Notepad.
+4. Drag the RDP file into the Notepad window to edit it.
+5. Enter or replace the line that specifies authentication level with the following two lines of text:
+
+ ```text
+ enablecredsspsupport:i:0
+ authentication level:i:2
+ ```
+6. **enablecredsspsupport** and **authentication level** should each appear only once in the file.
+7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+
+## Related topics
+
+[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+ [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
+ [Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
+
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 0a6428d6c9..095d461e1e 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
---
# Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 9b9225de42..57fdf3e0a6 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Activate using Key Management Service
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index acf1786ec8..2a3c80b8b2 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Activate clients running Windows 10
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index 1ea07efda6..ca6ec523b8 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Appendix: Information sent to Microsoft during activation
**Applies to**
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 3c4cd55263..d141c48130 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install and Configure VAMT
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 5a296869a0..1aecc1fd56 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install a KMS Client Key
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 0418bd6a7c..623f14c7bd 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install a Product Key
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 767086f01e..f20fa8522a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Install VAMT
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 215c706ab1..ffe55fe3ad 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: greg-lindsay
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Monitor activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 93bf083b08..37335d3504 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
---
# Plan for volume activation
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 0322aa4208..b81e84356d 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Use the Volume Activation Management Tool
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index a9746eeb19..d7cc0b2c2a 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
---
# Volume Activation for Windows 10
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index adf60da2d7..4bcaef04a8 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -4,7 +4,7 @@ description: This topic goes over Windows AutoPilot and how it helps setup OOBE
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 9c89248ded..242f5aa4e7 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,7 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 5e807ab7d6..f76208ce9c 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,21 +1,20 @@
---
-title: Windows 10 Enterprise E3 in CSP overview
+title: Windows 10 Enterprise E3 in CSP
description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay
---
-# Windows 10 Enterprise E3 in CSP overview
+# Windows 10 Enterprise E3 in CSP
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
- Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded
-
- Azure Active Directory (Azure AD) available for identity management
Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
@@ -134,151 +133,9 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
-## Preparing for deployment of Windows 10 Enterprise E3 licenses
+## Deployment of Windows 10 Enterprise E3 licenses
-You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 licenses to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-
-
-**Figure 1. On-premises AD DS integrated with Azure AD**
-
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
-
-- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
-- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-### Preparing for deployment: reviewing requirements
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
-
-
-
-## Explore the upgrade experience
-
-Now that your subscription has been established (by the partner who you work with) and Windows 10 Enterprise E3 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
-
-### Step 1: Join users’ devices to Azure AD
-
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
-
-**To join a device to Azure AD the first time the device is started**
-
-1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
-
-
-
- **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
-
-
-
- **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
-
-
-
- **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
-
-
-
- **Figure 5. Connect to work or school configuration in Settings**
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
-
-
-
- **Figure 6. Set up a work or school account**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
-
-
-
- **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
-
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 3: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10 Enterprise E3 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
-
-#### Figure 9 - Windows 10 Enterprise E3 subscription in Settings
-
-
-
-If there are any problems with the Windows 10 Enterprise E3 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Enterprise E3 subscription. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1607 operating system is not activated.
-
-- The Windows 10 Enterprise E3 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 10](#win-10-not-activated) illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 11](#subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 is activated, but the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-- [Figure 12](#win-10-not-activated-subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 license is not activated and the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-
-### Figure 10 - Windows 10 Pro, version 1607 edition not activated in Settings
-
-
-
-
-### Figure 11 - Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-
-
-
-### Figure 12 - Windows 10 Pro, version 1607 edition not activated and Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined:**
-
-1. Open a command prompt and type **dsregcmd /status**.
-
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10:**
-
-- At a command prompt, type:
- **winver**
-
- A popup window will display the Windows 10 version number and detailed OS build information.
-
- If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Deploy Windows 10 Enterprise features
@@ -389,8 +246,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f
## Related topics
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
-
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-
-[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
+[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
+ [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+ [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+ [Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
new file mode 100644
index 0000000000..8e9912ed68
--- /dev/null
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -0,0 +1,127 @@
+---
+title: Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Windows 10 Subscription Activation
+
+With Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots.
+
+ If you are running Windows 10 version 1703 or later:
+
+- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
+- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
+
+Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
+
+See the following topics in this article:
+- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
+- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
+- [How it works](#how-it-works): A summary of the subscription-based licensing option.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud.
+
+For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Requirements
+
+For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
+
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
+- Azure Active Directory (Azure AD) available for identity management
+- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
+
+For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+
+If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+
+## Benefits
+
+With Windows 10 Enterprise, businesses can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise E3 or E5 to their users. Now, with Windows 10 Enterprise E3 and E5 being available as a true online service, it is available in every channel thus allowing all organizations to take advantage of enterprise grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+
+- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
+
+You can benefit by moving to Windows as an online service in the following ways:
+
+1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+2. Azure AD logon triggers a silent edition upgrade, with no reboot required
+3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+4. Compliance support via seat assignment.
+
+## How it works
+
+When a licensed user signs in to a device that meets requirements using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
+
+Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+
+### Licenses
+
+The following policies apply to acquisition and renewal of licenses on devices:
+- Devices that have been upgraded will attempt to acquire licenses every 30 days, and must be connected to the Internet to be successful.
+- Licenses are valid for 90 days. If a device is disconnected from the Internet until its current license expires, the operating system will revert to Windows 10 Pro. As soon as the device is connected to the Internet again, the license will automatically renew assuming the device is still present on list of user devices.
+- Up to five devices can be upgraded for each user license.
+- The list of devices is chronological and cannot be manually modified.
+- If a device meets requirements and a licensed user signs in on that device, it will be upgraded.
+- If five devices are already on the list and a subscribed user signs in on a sixth device, then this new device is added to the end of the list and the first device is removed.
+- Devices that are removed from the list will cease trying to acquire a license and revert to Windows 10 Pro when the grace period expires.
+
+Licenses can also be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+
+When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal).
+
+### Existing Enterprise deployments
+
+If you have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you are able to seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
+
+If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
+
+
+@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+
+
+### Obtaining an Azure AD licence
+
+Enterprise Agreement/Software Assurance (EA/SA):
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
+- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
+
+Microsoft Products & Services Agreements (MPSA):
+- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
+- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
+
+### Deploying licenses
+
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+
+## Related topics
+
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+ [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+ [Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 2ba92a4627..d9870313ca 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt
-localizationpriority: high
+ms.localizationpriority: high
author: greg-lindsay
---
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 7cd077d90a..63e2727b2a 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
-localizationpriority: high
+ms.localizationpriority: high
author: greg-lindsay
---
@@ -205,6 +205,10 @@ Topics and procedures in this guide are summarized in the following table. An es
## Download MDOP and install DaRT
+>[!IMPORTANT]
+>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index ebdbe4e613..621de876bd 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
-localizationpriority: high
+ms.localizationpriority: high
author: greg-lindsay
---
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index afc909741a..154981a4b6 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -4,7 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
ms.sitesec: library
author: greg-lindsay
---
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 9305ed157e..6895c3208e 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -94,6 +94,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
+### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
@@ -650,6 +651,7 @@
## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
### [Manage TPM commands](tpm/manage-tpm-commands.md)
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md
index 80cbfe0b49..1d4fe3bc2f 100644
--- a/windows/device-security/applocker/applocker-overview.md
+++ b/windows/device-security/applocker/applocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/applocker/requirements-to-use-applocker.md b/windows/device-security/applocker/requirements-to-use-applocker.md
index 81fe0f76ba..caa0c16d67 100644
--- a/windows/device-security/applocker/requirements-to-use-applocker.md
+++ b/windows/device-security/applocker/requirements-to-use-applocker.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index f08b02baf6..db72ab90ec 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -13,7 +13,9 @@ author: Justinha
**Applies to**
- Windows 10
-This topic provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
+This topic explains how BitLocker and device encryption can help protect data on devices running Windows 10.
+For an architectural overview about how device encryption works with Secure Boot, see [Secure boot and device encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
+For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index e0f1bc14e9..af3bab22cc 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
+
+### When should an additional method of authentication be considered?
+
+New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
+For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
+
### If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
+### Can I use BitLocker with virtual machines (VMs)?
+
+Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+
+
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
new file mode 100644
index 0000000000..e8a02af1fd
--- /dev/null
+++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
@@ -0,0 +1,185 @@
+---
+title: BitLocker Management Recommendations for Enterprises (Windows 10)
+description: This topic explains recommendations for managing BitLocker.
+ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# BitLocker Management Recommendations for Enterprises
+
+This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
+
+## Forward-looking recommendations for managing BitLocker
+
+The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
+
+Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
+
+Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
+
+ - [Domain-joined computers](#dom_join)
+
+ - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
+
+ - [Workplace-joined PCs and Phones](#work_join)
+
+ - [Servers](#servers)
+
+ - [Scripts](#powershell)
+
+
+
+## BitLocker management at a glance
+
+| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
+|---|---|----|---|---|
+|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
+|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
+
+
+*PC hardware that supports InstantGo or HSTI
+
+
+
+
+
+## Recommendations for domain-joined computers
+
+Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
+
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+
+For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management[1] (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+
+- Encrypts device with BitLocker using MBAM
+- Stores BitLocker Recovery keys in MBAM Server
+- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
+- Provides Reporting on Compliance and Recovery key access audit
+
+
+[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
+
+
+
+
+## Recommendations for devices joined to Azure Active Directory
+
+
+
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+
+For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+
+
+
+## Workplace-joined PCs and phones
+
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join.
+
+
+
+## Recommendations for servers
+
+Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
+
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
+
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+
+ Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+
+ For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
+
+
+
+## PowerShell examples
+
+For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
+
+*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+```
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+```
+For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
+
+*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
+```
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+ ```
+
+Subsequently, you can use PowerShell to enable BitLocker.
+
+*Example: Use PowerShell to enable BitLocker with a TPM protector*
+ ```
+PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
+ ```
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+ ```
+PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+ ```
+
+
+
+## Related Articles
+
+[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
+
+[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+
+[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption)
+
+[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+
+[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
+
+[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx)
+
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
+*(Overview)*
+
+[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
+*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
+
+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+
+
+
+**Windows Server setup tools**
+
+[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+
+[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
+
+[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
+
+[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
+
+
+
+
+**Powershell**
+
+[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
+
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
\ No newline at end of file
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index d92c5e1cce..b9308ded1b 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index f5c4e6001a..6030e8a054 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,19 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+ | [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+
+
+
+## July 2017
+|New or changed topic |Description |
+|---------------------|------------|
+ | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+
+
## May 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
index 898731c8d2..905dcc1550 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article describes how to deploy catalog files to support code
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index e1046621fc..ab8015ffad 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -4,7 +4,7 @@ description: This article provides information about two elements in code integr
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 1f4eff567b..390575abd4 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -4,7 +4,7 @@ description: This article describes how to deploy code integrity policies, one o
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
@@ -33,7 +33,7 @@ Members of the security community\* continuously collaborate with Mic
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
- bash.exe
-- bginfo.exe
+- bginfo.exe[1]
- cdb.exe
- csi.exe
- dnx.exe
@@ -42,14 +42,17 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- kd.exe
- ntkd.exe
- lxssmanager.dll
-- msbuild.exe[1]
+- msbuild.exe[2]
- mshta.exe
- ntsd.exe
- rcsi.exe
+- SyncAppVPublishingServer.exe
- system.management.automation.dll
- windbg.exe
-[1]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+
+[2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
@@ -62,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
|Alex Ionescu | @aionescu|
+|Nick Landers | @monoxgas|
@@ -114,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
+
@@ -182,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
+
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
index baad65e7bb..012a60e785 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article, and the articles it links to, describe how to create
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 773414f009..45c3ca1f45 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -4,7 +4,7 @@ description: This article describes how to enable virtualization-based security,
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index cf53463610..fcd0f46670 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -4,7 +4,7 @@ description: Explains how you can use a managed installer to automatically autho
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: mdsakibMSFT
---
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md
index d50a13cc43..da932fc370 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/device-security/device-guard/device-guard-deployment-guide.md
@@ -5,7 +5,7 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index 66956fbb5c..8c995bb3fe 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: Microsoft Device Guard is a feature set that consists of both hardw
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
index 89b5072658..32732cc6a1 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article describes how to create a code signing certificate for
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index d3919505b8..c822167621 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -4,7 +4,7 @@ description: To help you plan and begin the initial test stages of a deployment
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 3a9804aa1c..9b22432875 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -4,7 +4,7 @@ description: To help you plan a deployment of Microsoft Device Guard, this artic
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
@@ -14,16 +14,6 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
-This article describes the following:
-
-- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
- - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
- - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
-- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
-- [Device Guard deployment in virtual machines](#device-guard-deployment-in-virtual-machines)
-- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
-- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
-
The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
>**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
@@ -45,53 +35,50 @@ The following tables provide more information about the hardware, firmware, and
> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
-## Device Guard requirements for baseline protections
+## Baseline protections
-|Baseline Protections - requirement | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**, plus **extended page tables** | **Requirements**: These hardware features are required for VBS: One of the following virtualization extensions: • VT-x (Intel) or • AMD-V And: • Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).
**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+|Baseline Protections | Description | Security benefits |
+|--------------------------------|----------------------------------------------------|-------------------|
+| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | |
+| Hardware: **CPU virtualization extensions**, plus **extended page tables** | These hardware features are required for VBS: One of the following virtualization extensions: • VT-x (Intel) or • AMD-V And: • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
| Support for VBS and for management features that simplify configuration of Device Guard. |
-> **Important** The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+> **Important** The following tables list additional qualifications for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Device Guard can provide.
-## Device Guard requirements for improved security
+## Additional qualifications for improved security
-The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
-
-| Protections for Improved Security - requirement | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • BIOS password or stronger authentication must be supported. • In the BIOS configuration, BIOS authentication must be set. • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**: • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Protections for Improved Security | Description | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported. • In the BIOS configuration, BIOS authentication must be set. • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access. • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
+### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-> **Important** The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
-| Protections for Improved Security - requirement | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**: Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).
**Security benefits**: • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**: • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**: • Enterprises can choose to allow proprietary EFI drivers/applications to run. • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security | Description | Security benefits |
+|---------------------------------------------|----------------------------------------------------|-----|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby) • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware. • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time. • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run. • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### Additional Qualification Requirements starting with Windows 10, version 1703
+### Additional security qualifications starting with Windows 10, version 1703
-The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
-| Protection for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**: • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and exceutable • Do not attempt to directly modify executable system memory • Do not use dynamic code
**Security benefits**: • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**: • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
+| Protections for Improved Security | Description | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable. • UEFI runtime service must meet these requirements: • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. • PE sections need to be page-aligned in memory (not required for in non-volitile storage). • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS: • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes: • This only applies to UEFI runtime service memory, and not UEFI boot service memory. • This protection is applied by VBS on OS page tables.
Please also note the following: • Do not use sections that are both writeable and exceutable • Do not attempt to directly modify executable system memory • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable) • Reduces the attack surface to VBS from system firmware. • Blocks additional security attacks against SMM. |
## Device Guard deployment in different scenarios: types of devices
diff --git a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
index 5a3cde966e..aa07230763 100644
--- a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
@@ -18,18 +18,17 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This security setting determines whether the local administrator account is enabled or disabled.
+This security setting determines whether the local Administrator account is enabled or disabled.
-If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
+The following conditions prevent disabling the Administrator account, even if this security setting is disabled.
-If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
-1. No other local administrator account exists
-2. The administrator account is currently in use
-3. All other local administrator accounts are:
+1. The Administrator account is currently in use
+2. The Administrators group has no other members
+3. All other members of the Administrators group are:
1. Disabled
2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
-If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
+If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password.
### Possible values
- Enabled
@@ -51,12 +50,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
+| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy |Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Disabled |
+
## Policy management
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6c96f4605e..0264785b4b 100644
--- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: justinha
---
diff --git a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index b9a0e71329..3f98b0d5f2 100644
--- a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -24,11 +24,11 @@ This policy setting allows a client device to require the negotiation of 128-bit
- Require NTLMv2 session security
- The connection fails if strong encryption (128-bit) is not negotiated.
+ The connection fails if the NTLMv2 protocol is not negotiated.
- Require 128-bit encryption
- The connection fails if the NTLMv2 protocol is not negotiated.
+ The connection fails if strong encryption (128-bit) is not negotiated.
### Best practices
diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/device-security/security-policy-settings/security-options.md
index b4896738f7..e8cba42ee3 100644
--- a/windows/device-security/security-policy-settings/security-options.md
+++ b/windows/device-security/security-policy-settings/security-options.md
@@ -53,7 +53,8 @@ For info about setting security policies, see [Configure security policy setting
| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
-| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.|
+| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.|
+| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.|
| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.|
| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|
diff --git a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 348aa4eb2d..16ed671235 100644
--- a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Shutdown: Clear virtual memory pagefile - security policy setting
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 10
diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md
new file mode 100644
index 0000000000..88f2a9f786
--- /dev/null
+++ b/windows/device-security/tpm/how-windows-uses-the-tpm.md
@@ -0,0 +1,159 @@
+---
+title: How Windows uses the TPM
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
+ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# How Windows 10 uses the Trusted Platform Module
+
+The Windows 10 operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM.
+
+
+**See also:**
+
+ - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
+
+ - [TPM Fundamentals](tpm-fundamentals.md)
+
+ - [TPM Recommendations](tpm-recommendations.md)
+
+## TPM Overview
+
+The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
+
+Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+
+## TPM in Windows 10
+
+The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security.
+
+## Platform Crypto Provider
+
+Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+
+Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
+
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
+
+• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+
+• **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows 10 device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+
+## Virtual Smart Card
+
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+
+## Windows Hello for Business
+
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
+
+Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
+
+• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+
+• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
+
+
+
+*Figure 1: TPM Cryptographic Key Management*
+
+For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
+
+## BitLocker Drive Encryption
+
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+
+• **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+
+• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS).
+
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+
+Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+
+## Device Encryption
+
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
+
+For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
+
+## Measured Boot
+
+Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
+
+The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+
+TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
+
+The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
+
+• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+
+When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
+
+
+
+*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
+
+
+## Health Attestation
+
+Some Windows 10 improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
+
+Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
+
+## Credential Guard
+
+Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10.
+
+## Conclusion
+
+The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+
+
+|Feature | Benefits when used on a system with a TPM|
+|---|---|
+| Platform Crypto Provider | • If the machine is compromised, the private key associated with the certificate cannot be copied off the device. • The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
+| Virtual Smart Card | • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
+| Windows Hello for Business | • Credentials provisioned on a device cannot be copied elsewhere. • Confirm a device’s TPM before credentials are provisioned. |
+| BitLocker Drive Encryption | • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
+|Device Encryption | • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
+| Measured Boot | • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
+| Health Attestation | • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
+| Credential Guard | • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
+
+
+
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
\ No newline at end of file
diff --git a/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
new file mode 100644
index 0000000000..64eb88ebe7
Binary files /dev/null and b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png differ
diff --git a/windows/device-security/tpm/images/tpm-capabilities.png b/windows/device-security/tpm/images/tpm-capabilities.png
new file mode 100644
index 0000000000..b10c66b27c
Binary files /dev/null and b/windows/device-security/tpm/images/tpm-capabilities.png differ
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index d0283a1020..7c44d3803e 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
@@ -105,10 +105,10 @@ The following table defines which Windows features require TPM support.
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
-| Device Guard / Configurable Code Integrity | See next column | Recommended | |
+| Device Guard / Configurable Code Integrity | Not Applicable | Required | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. |
| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. |
| Device Health Attestation | Required | Required | |
-| Windows Hello | Not Required | Recommended | |
+| Windows Hello / Windows Hello for Business | Not Required | Recommended | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected) |
| UEFI Secure Boot | Not Required | Recommended | |
| Platform Key Storage provider | Required | Required | |
| Virtual Smart Card | Required | Required | |
diff --git a/windows/device-security/tpm/trusted-platform-module-overview.md b/windows/device-security/tpm/trusted-platform-module-overview.md
index ba05130ce1..119ebafb02 100644
--- a/windows/device-security/tpm/trusted-platform-module-overview.md
+++ b/windows/device-security/tpm/trusted-platform-module-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/tpm/trusted-platform-module-top-node.md b/windows/device-security/tpm/trusted-platform-module-top-node.md
index ad6428c661..f7ef7a4b61 100644
--- a/windows/device-security/tpm/trusted-platform-module-top-node.md
+++ b/windows/device-security/tpm/trusted-platform-module-top-node.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
index 85ff61bf41..207c463b85 100644
--- a/windows/device-security/windows-10-mobile-security-guide.md
+++ b/windows/device-security/windows-10-mobile-security-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
-localizationpriority: high
+ms.localizationpriority: high
author: AMeeus
---
# Windows 10 Mobile security guide
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7ebbf52bf3..200db0cd98 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -3,7 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
author: brianlic-msft
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
index 8343d2c59e..e854d43efb 100644
--- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Block untrusted fonts in an enterprise
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index a23616e9a6..e3f898afa0 100644
--- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
author: justinha
---
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md
index 2f0931b1dc..83a8c454ed 100644
--- a/windows/threat-protection/secure-the-windows-10-boot-process.md
+++ b/windows/threat-protection/secure-the-windows-10-boot-process.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: Explore
ms.pagetype: security
ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
author: brianlic-msft
ms.date: 06/23/2017
---
diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 6d73bea83b..4f4815d991 100644
--- a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -7,7 +7,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 9553373b80..3d00e3cd7e 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
msft.author: iawilt
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index edf44cdddc..66f292c972 100644
--- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 18065e7b67..28d95b5f7c 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 0321537068..51e4da766a 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 09874321a0..9db9a1a011 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index 47b2f3f968..6483bcb53a 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index eaaccf94c2..38c2c15f82 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 193a5043bf..3ab8d056a6 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 728b747ccb..4b7b42f001 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index e31e53a2bb..1d44078c65 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index a692199439..8cce4e1f03 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 7e45146ca4..bd0aa9f9ff 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index bf1f2f595e..c1996876ef 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 677e0883be..34adf05d43 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index b664d78cdf..2ae2cc1683 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 6302c7bd01..033e1ba5fd 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index 5ba96c2e65..1e58b44fb0 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index fb622e18eb..6eb5d98e2e 100644
--- a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 1c76376a0b..447437331e 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 0f51f5cf85..8424255df1 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 29c80abf0c..c1f14fe426 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 296bbd7013..256b81f90d 100644
--- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: detect
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4057fe4655..755d7bb810 100644
--- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 4f51b16a7a..15297f3b96 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 9726dfceba..123057dc01 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index f067d7f1eb..019ed502c2 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
msft.author: iawilt
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index feffc5c8b6..d5838972b1 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index 393342fba7..b8cc7b7586 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
msft.author: iawilt
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 89be197b89..374162b001 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index b54cfd7521..efcdb994fa 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index ce95481ff2..1da8e5b737 100644
--- a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index dda75ed42a..2082f44329 100644
--- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 63d6ce419e..3307e84851 100644
--- a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4e29084ea1..0fb07edd90 100644
--- a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index a4826a52ae..f9ad88746b 100644
--- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index 321924a398..8e3ea5d3bf 100644
--- a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index ed872bc01d..603cf37adf 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index 661ce72277..79abd8d757 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index d7904ec127..49226c4cf3 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index ae1135c98c..91fc5c207e 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 39b5a2ad99..306bf240d2 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 5a534796e0..49d63c897a 100644
--- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 7eba149ae9..84504a1aae 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index 942587b25b..8b27b216a4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 29fbb9377a..f15f7b81a6 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index af07823d3a..4672b5eff4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 2a053cc803..107ae34521 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
@@ -44,7 +44,7 @@ Settings that were previously part of the Windows Defender client and main Windo
>This will significantly lower the protection of your device and could lead to malware infection.
-See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 81691de5b0..3e2f82bcdc 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Turn on advanced features in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 5ae7bf350c..c56729bba8 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 78add1c8f2..bec8ac80d7 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender ATP alert API fields
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 429ac0c65b..8084be4e84 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Assign user access to the Windows Defender ATP portal
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index eba6caa7cc..ff45bb42eb 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Check sensor health state in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index 385a17c7b8..df4b70e28a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure HP ArcSight to pull Windows Defender ATP alerts
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 99d2f5b51f..97bfb2b0af 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure email notifications in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 703871c3fd..dd813aefb9 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure endpoints using Group Policy
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index a17a666708..2c8aed6960 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure endpoints using Mobile Device Management tools
@@ -105,7 +106,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
- a. Select **Endpoint management** on the **Navigation pane**.
+ a. Select **Endpoint management** > **Client management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
@@ -123,30 +124,44 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
-4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type.
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
- 
+ 
7. Click **Settings** > **Configure**.
- 
+ 
-8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**.
+8. Under Custom OMA-URI Settings, click **Add**.
- 
+ 
-9. Click **Create**.
+9. Enter the following values, then click **OK**.
- 
+ 
-10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**.
+ - **Name**: Type a name for the setting.
+ - **Description**: Type a description for the setting.
+ - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+ - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
- 
+10. Save the settings by clicking **OK**.
+
+11. Click **Create**.
-11. Click **Save** to finish deploying the Configuration Policy.
+ 
- 
+12. To deploy the Profile, click **Assignments**.
+ 
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+ 
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+ 
### Offboard and monitor endpoints
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 1976fb8703..59794d532f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure endpoints using System Center Configuration Manager
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 1bde6ab2f6..0f47beb693 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure endpoints using a local script
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 73d4781fa1..f0e8bcee5c 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Windows Defender ATP endpoints
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index c497229e55..ab5af4aee7 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
@@ -79,7 +80,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
-Primary Domain Controller | .Microsoft.com DNS record
+Service location | .Microsoft.com DNS record
:---|:---
US |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```us.vortex-win.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net``` ```crl.microsoft.com``` ```eu.vortex-win.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 5bd33553ac..7b1168f940 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Pull alerts to your SIEM tools
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 24412f45b9..f698a6aeb3 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Splunk to pull Windows Defender ATP alerts
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index c801b3feab..9a12691b2c 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 07eb913511..6c6ffef9ba 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# View the Windows Defender Advanced Threat Protection Dashboard
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index ad99762845..740f5bfac2 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender ATP data storage and privacy
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index a10edb15c5..4a0d314348 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender compatibility
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 588dc98570..000296d697 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Enable the custom threat intelligence API in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 53cc303fdd..13f4d9520a 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Enable SIEM integration in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index c32cb54316..cea3a9d683 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: iawilt
author: iaanw
-localizationpriority: high
+ms.localizationpriority: high
---
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index a74dd4b020..ebd6f01e25 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Experiment with custom threat intelligence (TI) alerts
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 8b5493c587..ec792a86dc 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Fix unhealthy sensors in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index fa66ca420f..4e1390a814 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Update general Windows Defender ATP settings
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
index 9c41b16d73..7bb3ec3bb5 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
index 4d1885054b..acf42ec448 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
new file mode 100644
index 0000000000..614424a2ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
new file mode 100644
index 0000000000..11c2bf608b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png
new file mode 100644
index 0000000000..90f5b5b557
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
new file mode 100644
index 0000000000..3e486c0565
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png
new file mode 100644
index 0000000000..c846a207df
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
new file mode 100644
index 0000000000..345a260612
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
new file mode 100644
index 0000000000..e71db86d17
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
index 6be87715e9..b97c524a43 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
new file mode 100644
index 0000000000..bad96b9438
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index c621085545..22cb47ce0e 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate Windows Defender Advanced Threat Protection alerts
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index b107b3b042..bb040b50a1 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate a domain associated with a Windows Defender ATP alert
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index ebf5a67b89..60f65b2052 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate a file associated with a Windows Defender ATP alert
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index b531ee93f6..486af0335d 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate an IP address associated with a Windows Defender ATP alert
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 435dc1a3c2..2a4675f3c4 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate machines in the Windows Defender ATP Machines list
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 9f45aa0817..3fad51eada 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Investigate a user account in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index ddcf2f5185..a36ea1a0a9 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# View and organize the Windows Defender ATP Machines list
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 7ad9b687cb..fb191cc3b3 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Manage Windows Defender Advanced Threat Protection alerts
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 82efa42cc1..2232344229 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: iawilt
author: iaanw
-localizationpriority: high
+ms.localizationpriority: high
---
# Minimum requirements for Windows Defender ATP
@@ -116,10 +117,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
sc qc diagtrack
```
-## Windows Defender signature updates are configured
-The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+## Windows Defender Antivirus signature updates are configured
+The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
+
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 0acb1a9351..b433fffe39 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: iaanw
-localizationpriority: high
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
---
# Onboard and set up Windows Defender Advanced Threat Protection
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 6104ea6ffb..6105da4bd7 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender Advanced Threat Protection portal overview
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index c34193f76e..68be48aa4f 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# PowerShell code examples for the custom threat intelligence API
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index e2904380b5..66b0319b67 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Configure Windows Defender ATP preferences settings
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 1c4dcb2648..8a3c2389d9 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Turn on the preview experience in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 8fb19c7e1a..4347ed4f8c 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender ATP preview features
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 2c68f00d27..38e72858dc 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Pull Windows Defender ATP alerts using REST API
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index dc44b7cbea..d9602489d5 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Python code examples for the custom threat intelligence API
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 220ed86e05..7f69b9369f 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Take response actions on a file
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index d0c899983f..3c8baf58e6 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Take response actions on a machine
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 597cefb9a1..eef6296540 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Take response actions in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 088b4ed61a..edd9a3e180 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Check the Windows Defender Advanced Threat Protection service health
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index caaafb618e..6dd42769f1 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender Advanced Threat Protection settings
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index d1968d5761..c5cc1addec 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Understand threat intelligence concepts
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 40fc971abf..1d8d5a0b52 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Troubleshoot custom threat intelligence issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index a43f5f374c..8575f7b937 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index c782fef5df..0a66cc942d 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Troubleshoot SIEM tool integration issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 088a82e8d9..5bb2935a52 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Troubleshoot Windows Defender Advanced Threat Protection
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index ba2be9225a..d4e2d80927 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Use the threat intelligence API to create custom alerts
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 6b8436e6ef..3c7f06e779 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Use the Windows Defender Advanced Threat Protection portal
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 8f73a17944..512dd52132 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
+ms.author: macapara
author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender Advanced Threat Protection
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index f8376c934c..84618a3d06 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
author: iaanw
---
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 506e512699..957fc1f33b 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 9b1db90c72..9f850fbb1d 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Windows Defender SmartScreen
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index e611009fcf..45117e0ad1 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Set up and use Windows Defender SmartScreen on individual devices
diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
index 6f41240d2b..5e1df99718 100644
--- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.pagetype: security
ms.sitesec: library
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 9316b2ab60..2b6985d243 100644
--- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# How to collect Windows Information Protection (WIP) audit event logs
diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 76d9d3a63c..50bf85a578 100644
--- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 15e17ff463..e4edc3e586 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
index 043f638474..7b54968b51 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 5726426cf1..6f9d99a876 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
@@ -364,7 +364,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
### Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
**To change your corporate identity**
@@ -372,7 +372,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
The **Required settings** blade appears.
-2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
+2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index 17cfdf7f54..2f74bae405 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index d8a879c4d2..16465baf1b 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 60eb44c676..b953181936 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index a3b19da3c4..1cdad28951 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 159440b9aa..3694e13ba8 100644
--- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
index af85cdebaf..73eddd870d 100644
--- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# General guidance and best practices for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
index 1481a21f0d..c2274ee1e8 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
index 4bbd91028f..a1e3ed0c57 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ
diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
index 18971e3fe1..67b6897a16 100644
--- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Limitations while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
index dfd5630dc2..d810066027 100644
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
index caf17860ce..428c25c20d 100644
--- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Create a Windows Information Protection (WIP) policy
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 19071542aa..934aa9ae7c 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Protect your enterprise data using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index f07d6ab555..418c24c0ef 100644
--- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
index a46e4231ad..0c5aff23c1 100644
--- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Testing scenarios for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
index d60d0bf4ad..e2aacd97c4 100644
--- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Using Outlook on the web with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
index c3c1f07f56..fbf77802f5 100644
--- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
---
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index e0bd472d86..8f5712038b 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -5,7 +5,7 @@ ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
ms.prod: w10
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# What's new in Windows 10
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 09d1e54940..bfb93ebeb4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# What's new in Windows 10, versions 1507 and 1511
@@ -201,7 +201,7 @@ Event ID 6416 has been added to track when an external device is detected throug
The following sections describe the new and changed functionality in the TPM for Windows 10:
- [Device health attestation](#bkmk-dha)
- [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
-- [Device Guard](/windows/access-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
+- [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
- [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
### Device health attestation
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 07612029c5..982900b337 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
---
# What's new in Windows 10, version 1607
@@ -31,13 +31,13 @@ Windows ICD now includes simplified workflows for creating provisioning packages
[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
-### Windows Upgrade Analytics
+### Windows Upgrade Readiness
-Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
-Use Upgrade Analytics to get:
+Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer and application inventory
@@ -47,9 +47,9 @@ Use Upgrade Analytics to get:
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
-The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-analytics)
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
## Windows updates
@@ -102,7 +102,7 @@ Several new features and management options have been added to Windows Defender
- [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-block-at-first-sight) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal.
- [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index f819d4326c..f9ecc8bc12 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,12 +1,12 @@
---
-title: What's in Windows 10, version 1703
+title: What's new in Windows 10, version 1703
description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: JasonGerend
-localizationpriority: high
+ms.localizationpriority: high
ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
---
@@ -151,7 +151,7 @@ You can read more about ransomware mitigations and detection capability in Windo
### Device Guard and Credential Guard
Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](/windows/access-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard//credential-guard-requirements#security-considerations).
+For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
### Group Policy Security Options
@@ -171,9 +171,9 @@ For Windows desktops, users are able to reset a forgotten PIN through **Settings
For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
## Update
@@ -295,6 +295,37 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
- Set Ethernet port properties
- Set proxy properties for the Ethernet port
+## Miracast on existing wireless network or LAN
+
+In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+
+### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+### Enabling Miracast over Infrastructure
+
+If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+ - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+ - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
## New features in related products
The following new features aren't part of Windows 10, but help you make the most of it.
+ 
+ 
+ 
+ 
+ 
+ ++
+ ++
2
+
+ **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+ 
+
+ **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+ 
+
+ **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
+
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+
+ 
+
+ **Figure 5. Connect to work or school configuration in Settings**
+
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+ 
+
+ **Figure 6. Set up a work or school account**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+ 
+
+ **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 3: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+
+
+
+
+
+
+
+