Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into microsoft-edge-preview

devices/hololens/hololens-setup.md

@@ -7,7 +7,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 08/02/2018
 ---
 
 # Set up HoloLens
@@ -30,7 +30,12 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the
 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens.
 3. Next, you'll be guided through connecting to a Wi-Fi network. 
 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. 
-    - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
+    - When you choose **My work or school owns it**, you sign in with an Azure AD account.
+
+        >[!NOTE]
+        >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+    
+        If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app).
         1. Enter your organizational account. 
         2. Accept privacy statement.
         3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page.

devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md

@@ -42,7 +42,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro
 
 #### Download SEMM scripts for Configuration Manager
 
-After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center.
+After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center.
 
 ## Deploy Microsoft Surface UEFI Manager
 
@@ -269,7 +269,7 @@ The following code fragment, found on lines 352-363, is used to write this regis
 
 ### Settings names and IDs
 
-To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center.
+To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703) 
 
 The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
 

education/windows/use-set-up-school-pcs-app.md

@@ -7,10 +7,10 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: lenewsad
 ms.author: lanewsad
-ms.date: 07/11/2018
+ms.date: 08/03/2018
 ---
 
 # Use the Set up School PCs app  
@@ -69,7 +69,7 @@ This section offers recommendations to prepare you for the best possible setup e
 We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
 
 ### Student PCs should meet OS requirements for the app  
-Check the minimum OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.  
+Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.  
 
 To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
 
@@ -82,7 +82,7 @@ We recommend that you run the Set up School PCs app on a computer that's connect
  >* Open Wi-Fi networks that require the user to accept Terms of Use.
 
 ### Run app on an open network or network that requires a basic password  
-Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up numerous devices over Wi-Fi, make sure that your network configuration can support it.
+Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
 
 We recommend that you:  
 * Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.  
@@ -92,16 +92,17 @@ We recommend that you:
 > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.  
 
 ### Use an additional USB drive  
-You can set up PCs at the same time. Just save the provisioning package to an additional USB drive. Then plug them in at the same time during deployment.  
+To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. 
 
 ### Limit changes to school-optimized settings  
 
-We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and sign-in time.  
+We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in.  
+
 ## Create the provisioning package  
 
 The **Set up School PCs** app guides you through the configuration choices for the student PCs.  
 
-### Sign-in
+### Sign in  
 1. Open the Set up School PCs app on your PC and click **Get started**.  
     
       ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)  
@@ -120,10 +121,10 @@ a. Click **Work or school account** > **Continue**.
 1. Click **Accept** to allow Set up School PCs to access your account throughout setup.
 2. When your account name appears on the page, as shown in the image below, click **Next.**
 
-      ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png)
+      ![Verify that the account you selected shows up](images/suspc-createpackage-signin-1807.png)
 
 ### Wireless network
-Add and save a wireless network profile to provision on each student PC. Only skip Wi-Fi setup if you have an Ethernet connection.  
+Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.  
 
 Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** 
 
@@ -141,39 +142,52 @@ To make sure all device names are unique, Set up School PCs automatically append
 ### Settings
 Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. 
 
+![Screenshot of the Current OS version page with the Select OS version menu selected, showing 6 Windows 10 options. All other settings on page are unavailable to select.](images/suspc-current-os-version-1807.png)  
 
-![Configure student PC settings page showing 5 settings with checkboxes and 1 setting with browser button](images/suspc-configure-student-settings-1807.png)
+Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10.  
 
-Setting selections vary based on the OS version you select. The following table lists all possible settings, descriptions, and important notes to consider.  After you've made your selections, click **Next**.   
+![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspc-available-student-settings-1807.png)  
 
+> [!NOTE]
+> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot below, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, you will not be asked to configure the time zone.  
 
-|Setting  |What happens if I select it? |Note|
-|---------|---------|---------|
-|Remove apps pre-installed by the device manufacturer |  Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
-|Allow local storage (not recommended for shared devices)    | Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be part of a shared cart or lab.|
-|Optimize device for a single student, instead of a shared cart or lab    |Optimizes the device for use by a single student, rather than many students.       |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
-|Let guests sign in to these PCs     |Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Windows Autopilot Reset  | Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
-|Lock screen background|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|  
+The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.   
 
+|Setting  |1703|1709|1803|What happens if I select it? |Note|
+|---------|---------|---------|---------|---------|---------|
+|Remove apps pre-installed by the device manufacturer |X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
+|Allow local storage (not recommended for shared devices)    |X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC.         |Not recommended if the device will be part of a shared cart or lab.|
+|Optimize device for a single student, instead of a shared cart or lab    |X|X|X|Optimizes the device for use by a single student, rather than many students.       |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+|Let guests sign in to these PCs     |X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
+|Enable Autopilot Reset  |Not available|X|X| Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM).  |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
+|Lock screen background|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|   
 
-### Take a Test app  
+After you've made your selections, click **Next**.   
+
+![Configure student PC settings page showing 5 settings, with two settings selected. Lock screen background image is the default image. Cursor is hovering over the blue Next button.](images/suspc-current-os-version-next-1807.png)  
+
+### Time zone  
+
+> [!WARNING]
+> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
+
+Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**.  
+
+![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspc-time-zone-1807.png)  
+
+### Take a Test  
 Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.  
 1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.    
 
-    ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc_createpackage_takeatestpage_073117.png)   
-2. Select from the advanced settings. The following table lists available settings and their descriptions.  
-
-|Setting |Description |
-|---------|---------|
-|Allow keyboard auto-suggestions    | Allows app to suggest words as the student types on the PC's keyboard.       |
-|Allow teachers to monitor online tests     |  Enables screen capture in the Take a Test app.  |  
+    ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc-take-a-test-1807.png)   
 
+2. Select from the advanced settings. Available settings inclue:  
+    * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard.  
+    * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app.  
 3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.  
-
 4. Click **Next**. 
 
-### Add recommended apps  
+### Recommended apps  
 Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu.  
 
   ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png)  
@@ -186,23 +200,25 @@ The following table lists the recommended apps you'll see.
 |Minecraft: Education Edition | Free trial|
 |Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming|   
 
+If you receive an error and are unable to add the selected apps, click **Skip**. Contact your IT admin to get these apps later.
+
 
 ### Summary
 1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.  
 2. To make changes now, click any page along the left side of the window.  
 3. When finished, click **Accept**.  
 
-      ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Take a Test, and Recommended apps. Accept button is active and the page contains three links on the right-hand side to help and support.](images/suspc_createpackage_summary_073117.png)
+      ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspc-createpackage-summary-1807.png)
 
 ### Insert USB
 1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.  
 2. Choose your USB drive from the list and click **Save**.
 
-      ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc_savepackage_insertusb.png)
+      ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc-savepackage-insertusb-1807.png)
 
 3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. 
 
-      ![Your provisioning package is ready screen with package details, active Next button, and grayed-out Add a USB button.](images/suspc_savepackage_ppkgisready.png)  
+      ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspc-savepackage-ppkgisready-1807.png)  
 
 ## Run package - Get PCs ready  
 Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.  
@@ -231,8 +247,8 @@ When used in context of the Set up School PCs app, the word *package* refers to
 
      ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png)  
 
-4. If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience.  If you did configure the package for Azure AD Join, the computer is ready for use and no further configurations are required.  
+4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience.  If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required.  
 
-      If successful, you'll see a setup complete message. The PCs start up on the lock screen with your school's custom background. Upon first use, students and teachers will be able to connect to your school's network and resources.
+      If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
 
 

windows/client-management/connect-to-remote-aadj-pc.md

@@ -9,7 +9,7 @@ ms.pagetype: devices
 author: jdeckerms
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 11/28/2017
+ms.date: 08/02/2018
 ---
 
 # Connect to remote Azure Active Directory-joined PC
@@ -45,6 +45,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 
   4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
 
+  >[!TIP]
+  >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`.
+
  
 ## Supported configurations
  

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -366,7 +366,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to
 
 NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
 
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Value type is integer. Supported operations are Add, Get, and Replace.
 
 Valid values:  
 -	0 – app is not in the nonremovable app policy list

windows/client-management/mdm/enterprisemodernappmanagement-ddf.md

@@ -495,7 +495,6 @@ The XML below is for Windows 10, next major version.
               <AccessType>
                 <Get />
                 <Add />
-                <Delete />
                 <Replace />
               </AccessType>
               <DFFormat>

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 -   [What's new in Windows 10, version 1703](#whatsnew10)
 -   [What's new in Windows 10, version 1709](#whatsnew1709)
 -   [What's new in Windows 10, version 1803](#whatsnew1803)
+-   [What's new in Windows 10, next major version](#whatsnewnext)
 -   [Change history in MDM documentation](#change-history-in-mdm-documentation)
 -   [Breaking changes and known issues](#breaking-changes-and-known-issues)
     -   [Get command inside an atomic command is not supported](#getcommand)
@@ -1357,6 +1358,101 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </tbody>
 </table>
 
+## <a href="" id="whatsnewnext"></a>What's new in Windows 10, next major version
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies in Windows 10, next major version:</p>
+<ul>
+<li>ApplicationManagement/LaunchAppAfterLogOn</li>
+<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
+<li>Authentication/EnableFastFirstSignIn</li>
+<li>Authentication/EnableWebSignIn</li>
+<li>Authentication/PreferredAadTenantDomainName</li>
+<li>Defender/CheckForSignaturesBeforeRunningScan</li>
+<li>Defender/DisableCatchupFullScan </li>
+<li>Defender/DisableCatchupQuickScan </li>
+<li>Defender/EnableLowCPUPriority</li>
+<li>Defender/SignatureUpdateFallbackOrder</li>
+<li>Defender/SignatureUpdateFileSharesSources</li>
+<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
+<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
+<li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
+<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</li>
+<li>DmaGuard/DeviceEnumerationPolicy</li>
+<li>Experience/AllowClipboardHistory</li>
+<li>Experience/DoNotSyncBrowserSetting</li>
+<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
+<li>Security/RecoveryEnvironmentAuthentication</li>
+<li>TaskManager/AllowEndTask</li>
+<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
+<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
+<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates</li>
+<li>Update/SetDisablePauseUXAccess</li>
+<li>Update/SetDisableUXWUAccess</li>
+<li>WindowsDefenderSecurityCenter/DisableClearTpmButton</li>
+<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning</li>
+<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl</li>
+<li>WindowsLogon/DontDisplayNetworkSelectionUI</li>
+</ul>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[PassportForWork  CSP](passportforwork-csp.md)</td>
+<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)</td>
+<td style="vertical-align:top"><p>Added NonRemovable setting under AppManagement node in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)</td>
+<td style="vertical-align:top"><p>Added new configuration service provider in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[WindowsLicensing  CSP](windowslicensing-csp.md)</td>
+<td style="vertical-align:top"><p>Added S mode settings and SyncML examples in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[SUPL CSP](supl-csp.md)</td>
+<td style="vertical-align:top"><p>Added 3 new certificate nodes in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new node Health/ProductStatus in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new node AllowStandardUserEncryption in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[DevDetail CSP](devdetail-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new node SMBIOSSerialNumber in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Wifi CSP](wifi-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new node WifiCost in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
+</td></tr>
+</tbody>
+</table>
+
+
 ## Breaking changes and known issues
 
 ### <a href="" id="getcommand"></a>Get command inside an atomic command is not supported
@@ -1623,6 +1719,35 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### August 2018
+
+<table class="mx-tdBreakAll">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
+</td></tr>
+<tr>
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies in Windows 10, next major version:</p>
+<ul>
+<li>Experience/DoNotSyncBrowserSetting</li>
+<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
+
 ### July 2018
 
 <table class="mx-tdBreakAll">
@@ -1729,7 +1854,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <tbody>
 <tr>
 <td style="vertical-align:top">[Wifi CSP](wifi-csp.md)</td>
-<td style="vertical-align:top"><p>Added a new node WifiCost.</p>
+<td style="vertical-align:top"><p>Added a new node WifiCost in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)</td>
@@ -1741,7 +1866,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
-<td style="vertical-align:top"><p>Added new node AllowStandardUserEncryption.</p>
+<td style="vertical-align:top"><p>Added new node AllowStandardUserEncryption in Windows 10, next major version.</p>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>

windows/client-management/mdm/policy-ddf-file.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/03/2018
+ms.date: 08/03/2018
 ---
 
 # Policy DDF file
@@ -1406,30 +1406,6 @@ Related policy:
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>ForceEnabledExtensions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This setting lets you decide which extensions should be always enabled.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>HomePages</NodeName>
           <DFProperties>
@@ -1654,6 +1630,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>PreventTurningOffRequiredExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
+
+When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs).  For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe  prevents a user from turning off the OneNote Web Clipper and Office Online extension.
+
+When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel.
+
+If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
+
+If disabled or not configured, extensions defined as part of this policy get ignored.
+
+Default setting:  Disabled or not configured
+Related policies: Allow Developer Tools
+Related Documents:
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
+- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
+- Manage apps from the Microsoft Store for Business with System Center Configuration Manager  (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
           <DFProperties>
@@ -8614,6 +8631,52 @@ Related policy:
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Privacy</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>DisablePrivacyExperience</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Security</NodeName>
         <DFProperties>
@@ -10528,34 +10591,6 @@ Related policy:
             <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>ForceEnabledExtensions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DefaultValue></DefaultValue>
-            <Description>This setting lets you decide which extensions should be always enabled.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
-            <MSFT:ADMXMappedElement>ForceEnabledExtensions_List</MSFT:ADMXMappedElement>
-            <MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>ForceEnabledExtensions</MSFT:ADMXPolicyName>
-            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>HomePages</NodeName>
           <DFProperties>
@@ -10806,6 +10841,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>PreventTurningOffRequiredExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DefaultValue></DefaultValue>
+            <Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
+
+When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs).  For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe  prevents a user from turning off the OneNote Web Clipper and Office Online extension.
+
+When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel.
+
+If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
+
+If disabled or not configured, extensions defined as part of this policy get ignored.
+
+Default setting:  Disabled or not configured
+Related policies: Allow Developer Tools
+Related Documents:
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
+- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
+- Manage apps from the Microsoft Store for Business with System Center Configuration Manager  (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
+            <MSFT:ADMXMappedElement>PreventTurningOffRequiredExtensions_Prompt</MSFT:ADMXMappedElement>
+            <MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>PreventTurningOffRequiredExtensions</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
           <DFProperties>
@@ -18546,6 +18626,54 @@ Related policy:
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Privacy</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>DisablePrivacyExperience</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXMapped>OOBE.admx</MSFT:ADMXMapped>
+            <MSFT:ADMXCategory>OOBE~AT~WindowsComponents~OOBE</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisablePrivacyExperience</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Security</NodeName>
         <DFProperties>
@@ -22272,30 +22400,6 @@ Related policy:
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>ForceEnabledExtensions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>This setting lets you decide which extensions should be always enabled.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>HomePages</NodeName>
           <DFProperties>
@@ -22520,6 +22624,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>PreventTurningOffRequiredExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
+
+When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs).  For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe  prevents a user from turning off the OneNote Web Clipper and Office Online extension.
+
+When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel.
+
+If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
+
+If disabled or not configured, extensions defined as part of this policy get ignored.
+
+Default setting:  Disabled or not configured
+Related policies: Allow Developer Tools
+Related Documents:
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
+- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
+- Manage apps from the Microsoft Store for Business with System Center Configuration Manager  (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
           <DFProperties>
@@ -27063,7 +27208,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DoNotSyncBrowserSetting</NodeName>
+          <NodeName>DoNotSyncBrowserSettings</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -27098,7 +27243,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Replace />
             </AccessType>
             <Description>You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices.  When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings.
-                        Related policy: DoNotSyncBrowserSetting
+                        Related policy: DoNotSyncBrowserSettings
                         1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing</Description>
             <DFFormat>
               <int/>
@@ -34352,38 +34497,6 @@ Default: Disabled.</Description>
             </DFType>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Add />
-              <Delete />
-              <Get />
-              <Replace />
-            </AccessType>
-            <Description>Microsoft network server: Amount of idle time required before suspending a session
-
-This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
-
-Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
-
-For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
-
-Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.</Description>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <ZeroOrOne />
-            </Occurrence>
-            <Scope>
-              <Dynamic />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>MicrosoftNetworkServer_DigitallySignCommunicationsAlways</NodeName>
           <DFProperties>
@@ -36623,6 +36736,30 @@ The options are:
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisablePrivacyExperience</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>EnableActivityFeed</NodeName>
           <DFProperties>
@@ -41468,6 +41605,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowDeviceNameInDiagnosticData</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.  If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowEmbeddedMode</NodeName>
           <DFProperties>
@@ -44073,7 +44234,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>UpdateNotificationKioskMode</NodeName>
+          <NodeName>UpdateNotificationLevel</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -49551,34 +49712,6 @@ Related policy:
             <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>ForceEnabledExtensions</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DefaultValue></DefaultValue>
-            <Description>This setting lets you decide which extensions should be always enabled.</Description>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
-            <MSFT:ADMXMappedElement>ForceEnabledExtensions_List</MSFT:ADMXMappedElement>
-            <MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>ForceEnabledExtensions</MSFT:ADMXPolicyName>
-            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>HomePages</NodeName>
           <DFProperties>
@@ -49829,6 +49962,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>PreventTurningOffRequiredExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DefaultValue></DefaultValue>
+            <Description>You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically.
+
+When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs).  For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe  prevents a user from turning off the OneNote Web Clipper and Office Online extension.
+
+When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel.
+
+If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension.
+
+If disabled or not configured, extensions defined as part of this policy get ignored.
+
+Default setting:  Disabled or not configured
+Related policies: Allow Developer Tools
+Related Documents:
+- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)
+- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)
+- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)
+- Manage apps from the Microsoft Store for Business with System Center Configuration Manager  (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
+- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows)</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXMapped>MicrosoftEdge.admx</MSFT:ADMXMapped>
+            <MSFT:ADMXMappedElement>PreventTurningOffRequiredExtensions_Prompt</MSFT:ADMXMappedElement>
+            <MSFT:ADMXCategory>MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>PreventTurningOffRequiredExtensions</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
           <DFProperties>
@@ -54899,7 +55077,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>DoNotSyncBrowserSetting</NodeName>
+          <NodeName>DoNotSyncBrowserSettings</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -54935,7 +55113,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <DefaultValue>1</DefaultValue>
             <Description>You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices.  When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings.
-                        Related policy: DoNotSyncBrowserSetting
+                        Related policy: DoNotSyncBrowserSettings
                         1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing</Description>
             <DFFormat>
               <int/>
@@ -63004,41 +63182,6 @@ Default: Disabled.</Description>
             <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
-        <Node>
-          <NodeName>MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DefaultValue>15</DefaultValue>
-            <Description>Microsoft network server: Amount of idle time required before suspending a session
-
-This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
-
-Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
-
-For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
-
-Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.</Description>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:SupportedValues low="0" high="99999"></MSFT:SupportedValues>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:GPRegistryMappedCategory>Windows Settings~Security Settings~Local Policies~Security Options</MSFT:GPRegistryMappedCategory>
-            <MSFT:GPRegistryMappedName>Microsoft network server: Amount of idle time required before suspending session</MSFT:GPRegistryMappedName>
-            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
-          </DFProperties>
-        </Node>
         <Node>
           <NodeName>MicrosoftNetworkServer_DigitallySignCommunicationsAlways</NodeName>
           <DFProperties>
@@ -63402,7 +63545,7 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi
             <AccessType>
               <Get />
             </AccessType>
-            <DefaultValue>0</DefaultValue>
+            <DefaultValue>3</DefaultValue>
             <Description>Network security LAN Manager authentication level
 
 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
@@ -63455,7 +63598,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
             <AccessType>
               <Get />
             </AccessType>
-            <DefaultValue>0</DefaultValue>
+            <DefaultValue>536870912</DefaultValue>
             <Description>Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
 
 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -63493,7 +63636,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption</Description>
             <AccessType>
               <Get />
             </AccessType>
-            <DefaultValue>0</DefaultValue>
+            <DefaultValue>536870912</DefaultValue>
             <Description>Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
 
 This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
@@ -65452,6 +65595,34 @@ The options are:
             <MSFT:ConflictResolution>LowestValueMostSecureZeroHasNoLimits</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisablePrivacyExperience</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXMapped>OOBE.admx</MSFT:ADMXMapped>
+            <MSFT:ADMXCategory>OOBE~AT~WindowsComponents~OOBE</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisablePrivacyExperience</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>EnableActivityFeed</NodeName>
           <DFProperties>
@@ -69810,12 +69981,12 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
+            <MSFT:SupportedValues low="0" high="3"></MSFT:SupportedValues>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXMapped>SmartScreen.admx</MSFT:ADMXMapped>
             <MSFT:ADMXCategory>SmartScreen~AT~WindowsComponents~SmartScreen~Shell</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ConfigureAppInstallControl</MSFT:ADMXPolicyName>
-            <MSFT:ConflictResolution>HighestValueMostSecure</MSFT:ConflictResolution>
+            <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
         <Node>
@@ -70823,6 +70994,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowDeviceNameInDiagnosticData</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DefaultValue>0</DefaultValue>
+            <Description>This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.  If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:SupportedValues low="0" high="1"></MSFT:SupportedValues>
+            <MSFT:ADMXMapped>DataCollection.admx</MSFT:ADMXMapped>
+            <MSFT:ADMXMappedElement>AllowDeviceNameInDiagnosticData</MSFT:ADMXMappedElement>
+            <MSFT:ADMXCategory>DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowDeviceNameInDiagnosticData</MSFT:ADMXPolicyName>
+            <MSFT:ConflictResolution>LowestValueMostSecure</MSFT:ConflictResolution>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowEmbeddedMode</NodeName>
           <DFProperties>
@@ -72934,7 +73133,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:SupportedValues low="2" high="30"></MSFT:SupportedValues>
+            <MSFT:SupportedValues low="0" high="30"></MSFT:SupportedValues>
             <MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
             <MSFT:ADMXMappedElement>EngagedRestartTransitionSchedule</MSFT:ADMXMappedElement>
             <MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
@@ -72962,7 +73161,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             <DFType>
               <MIME>text/plain</MIME>
             </DFType>
-            <MSFT:SupportedValues low="2" high="30"></MSFT:SupportedValues>
+            <MSFT:SupportedValues low="0" high="30"></MSFT:SupportedValues>
             <MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
             <MSFT:ADMXMappedElement>EngagedRestartTransitionScheduleForFeatureUpdates</MSFT:ADMXMappedElement>
             <MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
@@ -73677,7 +73876,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>UpdateNotificationKioskMode</NodeName>
+          <NodeName>UpdateNotificationLevel</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -73699,7 +73898,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
             <MSFT:SupportedValues low="0" high="2"></MSFT:SupportedValues>
             <MSFT:ADMXMapped>WindowsUpdate.admx</MSFT:ADMXMapped>
             <MSFT:ADMXCategory>WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>UpdateNotificationKioskMode</MSFT:ADMXPolicyName>
+            <MSFT:ADMXPolicyName>UpdateNotificationLevel</MSFT:ADMXPolicyName>
             <MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
           </DFProperties>
         </Node>

windows/client-management/mdm/reboot-csp.md

@@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management
 <p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
 
 <a href="" id="schedule-dailyrecurrent"></a>**Schedule/DailyRecurrent**  
-<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z</p>
+<p style="margin-left: 20px">This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. </p>
 
 <p style="margin-left: 20px">The supported operations are Get, Add, Replace, and Delete.</p>
 

windows/configuration/change-history-for-configure-windows-10.md

@@ -10,13 +10,19 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 07/30/2018
+ms.date: 08/03/2018
 ---
 
 # Change history for Configure Windows 10
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## August 2018
+
+New or changed topic | Description
+--- | ---
+[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added instructions for specifying multiple URLs in configuration settings for Kiosk Browser.
+
 ## July 2018
 
 New or changed topic | Description 

windows/configuration/guidelines-for-assigned-access-app.md

@@ -9,7 +9,7 @@ author: jdeckerms
 ms.localizationpriority: medium
 ms.author: jdecker
 ms.topic: article
-ms.date: 07/30/2018
+ms.date: 08/03/2018
 ---
 
 # Guidelines for choosing an app for assigned access (kiosk mode)
@@ -59,14 +59,25 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
 
 Kiosk Browser settings | Use this setting to
 --- | ---
-Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
-Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. <br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. <br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
 Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
 Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
 Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
 Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
 Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
 
+>[!IMPORTANT]
+>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+>
+> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
+>2.	Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). 
+>3.	Insert the null character string in between each URL (e.g www.bing.com&#xF000;www.contoso.com). 
+>4.	Save the XML file.
+>5.	Open the project again in Windows Configuration Designer.
+>6.	Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
+ 
+
 >[!TIP]
 >To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information:
 >- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton

windows/configuration/kiosk-additional-reference.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/kiosk-mdm-bridge.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/kiosk-policies.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ms.author: jdecker
 ---

windows/configuration/kiosk-prepare.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/kiosk-shelllauncher.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/kiosk-single-app.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/kiosk-validate.md

@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/30/2018
 ---
 

windows/configuration/setup-digital-signage.md

@@ -7,8 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-ms.localizationpriority: high
-ms.date: 07/30/2018
+ms.localizationpriority: medium
+ms.date: 08/03/2018
 ---
 
 # Set up digital signs on Windows 10
@@ -61,6 +61,10 @@ This procedure explains how to configure digital signage using Kiosk Browser on
     - In **BlockedUrl**, enter `*`.
     - In **DefaultUrl**, enter `https://www.contoso.com/menu`.
     - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**.
+
+    >[!TIP]
+    >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
+
 13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
 14. On the **Export** menu, select **Provisioning package**.
 15. Change the **Owner** to **IT Admin**, and select **Next**.

windows/configuration/wcd/wcd-policies.md

@@ -8,7 +8,7 @@ author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
 ms.topic: article
-ms.date: 04/30/2018
+ms.date: 08/03/2018
 ---
 
 # Policies (Windows Configuration Designer reference)
@@ -290,13 +290,21 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store.
 
 | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: | :---: |
-[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
-[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
+[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
+[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
 [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart.  | X |  |  |  |  |
 [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button.  | X |  |  |  |  |
 [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X |  |  |  |  |
 [RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.  The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X |  |  |  |  |
 
+To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+
+1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
+2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). 
+3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). 
+4. Save the XML file.
+5. Open the project again in Windows Configuration Designer.
+6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
 
 ## Location
 

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -9,7 +9,7 @@ ms.pagetype: deploy
 author: jaimeo
 ms.author: jaimeo
 ms.date: 07/20/2018
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Frequently asked questions and troubleshooting Windows Analytics

windows/deployment/upgrade/setupdiag.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.date: 07/18/2018
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # SetupDiag

windows/deployment/windows-autopilot/add-devices.md

@@ -4,7 +4,7 @@ description: How to add devices to Windows Autopilot
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/configure-autopilot.md

@@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/enrollment-status.md

@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018

windows/deployment/windows-autopilot/profiles.md

@@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/rip-and-replace.md

@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/self-deploying.md

@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018

windows/deployment/windows-autopilot/troubleshooting.md

@@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/user-driven-aad.md

@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/user-driven-hybrid.md

@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/user-driven.md

@@ -4,7 +4,7 @@ description: Canonical Autopilot scenario
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md

@@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/deployment/windows-autopilot/windows-autopilot-reset-local.md

@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018

windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md

@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018

windows/deployment/windows-autopilot/windows-autopilot-reset.md

@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018

windows/deployment/windows-autopilot/windows-autopilot-scenarios.md

@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md

@@ -67,7 +67,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po
 
 #### Enable Windows Hello for Business
 
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
 
 You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
 
@@ -163,7 +163,7 @@ Users must receive the Windows Hello for Business group policy settings and have
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)

windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md

@@ -26,7 +26,7 @@ When a service connects with the device identity, signing and encryption are sup
 ### Possible values
 
 | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - |
+| - | - | - | 
 | Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
 | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
 |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| 

windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/16/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 

windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---