Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2icd

.openpublishing.redirection.json

@@ -1050,5 +1050,10 @@
         "redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
         "redirect_document_id": true
     },
+    {
+        "source_path": "windows/whats-new/security.md",
+        "redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10",
+        "redirect_document_id": true
+    },
   ]
 }

browsers/edge/available-policies.md

@@ -9,109 +9,123 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
 localizationpriority: high
 ---
 
-# Available policies for Microsoft Edge
+# Available Group Policy and Mobile Data Management (MDM) settings policies for Microsoft Edge
 
 **Applies to:**
 
-- Windows 10
+- Windows 10, Windows Insider Program 
-- Windows 10 Mobile
+- Windows 10 Mobile, Windows Insider Program
 
 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
 
 By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
 
-> **Note**<br>
+> [!NOTE]
-> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
+> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
 
 ## Group Policy settings
 Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
 
-| Policy name |Supported versions |Description |Options |
+|Policy name|Supported versions|Description|Options|
 |-------------|------------|-------------|--------|
-|Allow Developer Tools |Windows 10, Version 1511 or later |This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.<p>If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.<p>If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. |**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.<p>**Disabled:** Hides the F12 Developer Tools on Microsoft Edge. |
+|Allow Address bar drop-down list suggestions|Windows 10, Version 1703|This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.<p>**Note**<br>Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.<p>If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge.<p>If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|**Enabled or not configured (default):** Employees can see the Address bar drop-down functionality in Microsoft Edge.<p>**Disabled:** Employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type".|
-|Allow InPrivate browsing |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can browse using InPrivate website browsing.<p>If you enable or don’t configure this setting, employees can use InPrivate website browsing.<p>If you disable this setting, employees can’t use InPrivate website browsing. |**Enabled or not configured (default):** Lets employees use InPrivate website browsing.<p>**Disabled:** Stops employees from using InPrivate website browsing. |
+|Allow Adobe Flash|Windows 10 or later|This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.<p>If you enable or don't configure this setting, employees can use Adobe Flash.<p>If you disable this setting, employees can't use Adobe Flash.|**Enabled or not configured (default):** Employees use Adobe Flash in Microsoft Edge.<p>**Disabled:** Employees can’t use Adobe Flash.|
-|Allow web content on New Tab page |Windows 10 or later |This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.<p>If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.<p>If you disable this setting, Microsoft Edge opens a new tab with a blank page.<p>If you don’t configure this setting, employees can choose how new tabs appears. |**Not configured (default):** Employees see web content on New Tab page, but can change it.<p>**Enabled:** Employees see web content on New Tab page.<p>**Disabled:** Employees always see an empty new tab. |
+|Allow clearing browsing data on exit|Windows 10, Version 1703|This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.<p>If you enable this policy setting, clearing browsing history on exit is turned on.<p>If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options area, under Settings.|**Enabled:** Turns on the automatic clearing of browsing data when Microsoft Edge closes.<p>**Disabled or not configured (default):** Employees can turn on and configure whether to automatically clear browsing data when Microsoft Edge closes in the Clear browsing data options area under Settings.|
-|Configure Autofill |Windows 10 or later |This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.<p>If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. |**Not configured (default):** Employees can choose to turn Autofill on or off.<p>**Enabled:** Employees can use Autofill to complete form fields.<p>**Disabled:** Employees can’t use Autofill to complete form fields. |
+|Allow Developer Tools|Windows 10, Version 1511 or later|This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.<p>If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.<p>If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge.|**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.<p>**Disabled:** Hides the F12 Developer Tools on Microsoft Edge.|
-|Configure cookies |Windows 10 or later|This setting lets you configure how to work with cookies.<p>If you enable this setting, you must also decide whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>If you disable or don't configure this setting, all cookies are allowed from all sites. |**Enabled:** Lets you decide how your company treats cookies.<br>If you use this option, you must also choose whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>**Disabled or not configured:** All cookies are allowed from all sites.|
+|Allow Extensions|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can use Edge Extensions.<p>If you enable or don’t configure this setting, employees can use Edge Extensions.<p>If you disable this setting, employees can’t use Edge Extensions.|**Enabled or not configured:** Lets employees use Edge Extensions.<p>**Disabled:** Stops employees from using Edge Extensions.|
-|Configure Do Not Track |Windows 10 or later |This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info.  By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.<p>If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.<p>If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.<p>If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. |**Not configured (default):** Employees can choose to send Do Not Track headers on or off.<p>**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.<p>**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info. |
+|Allow InPrivate browsing|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can browse using InPrivate website browsing.<p>If you enable or don’t configure this setting, employees can use InPrivate website browsing.<p>If you disable this setting, employees can’t use InPrivate website browsing.|**Enabled or not configured (default):** Lets employees use InPrivate website browsing.<p>**Disabled:** Stops employees from using InPrivate website browsing.|
-|Allow Extensions |Windows 10, Version 1607 or later |This policy setting lets you decide whether employees can use Edge Extensions.<p>If you enable or don’t configure this setting, employees can use Edge Extensions.<p>If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.<p>**Disabled:** Stops employees from using Edge Extensions. |
+|Allow Microsoft Compatibility List|Windows 10, Version 1607 or later|This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.<p>If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.<p>If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation.|**Enabled or not configured (default):** Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly.<p>**Disabled:** Microsoft Edge doesn’t use the Microsoft Compatibility List during browser navigation.|
-|Configure Favorites |Windows 10, Version 1511 or later |This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.<p>If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.<p>If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. |**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.<p>**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub. |
+|Allow search engine customization|Windows 10, Version 1703|This policy setting lets you decide whether users can change their search engine.<p>**Important**<br>This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).<p>If you enable or don't configure this policy, users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.<p>If you disable this setting, users can't add search engines or change the default used in the address bar.|**Enabled or not configured (default):** Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings.<p>**Disabled:** Employees can't add search engines or change the default used in the Address bar.|
-|Configure Home pages |Windows 10, Version 1511 or later |This policy setting lets you configure one or more Home pages. for domain-joined devices. Your employees won't be able to change this after you set it.<p>If you enable this setting, you can configure one or more Home pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: <br>`<support.contoso.com><support.microsoft.com>`<p>If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs.<p>**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. |
+|Allow web content on New Tab page|Windows 10 or later|This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.<p>If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.<p>If you disable this setting, Microsoft Edge opens a new tab with a blank page.<p>If you don’t configure this setting, employees can choose how new tabs appears.|**Not configured (default):** Employees see web content on New Tab page, but can change it.<p>**Enabled:** Employees see web content on New Tab page.<p>**Disabled:** Employees always see an empty new tab.|
-|Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.<p>If you enable this setting, employees can use Password Manager to save their passwords locally.<p>If you disable this setting, employees can’t use Password Manager to save their passwords locally.<p>If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager.<p>**Enabled (default):** Employees can use Password Manager to save passwords locally.<p>**Disabled:** Employees can't use Password Manager to save passwords locally. |
+|Configure additional search engines|Windows 10, Version 1703|This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.<p>**Important**<br>This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).<p>If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add:<br>`<https://fabrikam.com/opensearch.xml>https://www.contoso.com/opensearch.xml`<p>If you disable this setting, any added search engines are removed from your employee's devices.<p>If you don't configure this setting, the search engine list is set to what is specified in App settings.|**Enabled:** Add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine.<p>**Disabled (default):** Any additional search engines are removed from your employee's devices.<p>**Not configured:** Search engine list is set to what is specified in App settings.|
-|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.<p>If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.<p>If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.<p>If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.<p>**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. |
+|Configure Autofill|Windows 10 or later|This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.<p>If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.|**Not configured (default):** Employees can choose to turn Autofill on or off.<p>**Enabled:** Employees can use Autofill to complete form fields.<p>**Disabled:** Employees can’t use Autofill to complete form fields.|
-|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.<p>If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.<p>**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. |
+|Configure cookies|Windows 10 or later|This setting lets you configure how to work with cookies.<p>If you enable this setting, you must also decide whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>If you disable or don't configure this setting, all cookies are allowed from all sites.|**Enabled:** Lets you decide how your company treats cookies.<br>If you use this option, you must also choose whether to:<br><ul><li>**Allow all cookies (default):** Allows all cookies from all websites.</li><li>**Block all cookies:** Blocks all cookies from all websites.</li><li>**Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites.</li></ul><p>**Disabled or not configured:** All cookies are allowed from all sites.|
-|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.<p>If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.<p>If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.<p>If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.<p>**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.<p>**Disabled:** Turns off SmartScreen Filter. |
+|Configure Do Not Track|Windows 10 or later|This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.<p>If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.<p>If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.<p>If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info.|**Not configured (default):** Employees can choose to send Do Not Track headers on or off.<p>**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.<p>**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info.|
-|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.<p>If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.<p>If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.<p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.<p>If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.<p>**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
+|Configure Favorites|Windows 10, Version 1511 or later|This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.<p>If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.<p>If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub.|**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.<p>**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub.|
-|Prevent access to the about:flags page |Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.<p>If you enable this policy setting, employees can’t access the about:flags page.<p>If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.<p>**Disabled or not configured (default):** Lets employees use the about:flags page. |
+|Configure Password Manager|Windows 10 or later|This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.<p>If you enable this setting, employees can use Password Manager to save their passwords locally.<p>If you disable this setting, employees can’t use Password Manager to save their passwords locally.<p>If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally.|**Not configured:** Employees can choose whether to use Password Manager.<p>**Enabled (default):** Employees can use Password Manager to save passwords locally.<p>**Disabled:** Employees can't use Password Manager to save passwords locally.|
-|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later	|This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.<p>If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.<p>If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.<p>**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. |
+|Configure Pop-up Blocker|Windows 10 or later|This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.<p>If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.<p>If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.<p>If you don’t configure this setting, employees can choose whether to use Pop-up Blocker.|**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.<p>**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows.|
-|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.<p>If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.<p>If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.<p>**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. |
+|Configure search suggestions in Address bar|Windows 10 or later|This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.<p>If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.<p>If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.|**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.<p>**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.<p>**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge.|
-|Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.<p>If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.<p>If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.<p>**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. |
+|Configure Start pages|Windows 10, Version 1511 or later|This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it.<p>If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: <br>`<support.contoso.com><support.microsoft.com>`<p>If you disable or don’t configure this setting, your default Start page is the webpage specified in App settings.|**Enabled:** Configure your Start pages. If you use this option, you must also include site URLs.<p>**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings.|
-|Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.<p>If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.<p>**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. |
+|Configure the Adobe Flash Click-to-Run setting|Windows 10, Version 1703|This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.<p>If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.<p>**Important**<br>Sites are put on the auto-allowed list based on how frequently employees load and run the content.<p>If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.|**Enabled or not configured:** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.<p>**Disabled:** Adobe Flash content is automatically loaded and run by Microsoft Edge.|
-|Show message when opening sites in Internet Explorer |Windows 10, Version 1607 and later |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. |
+|Configure the Enterprise Mode Site List|Windows 10 or later|This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.<p>If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.<p>If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.<p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.<p>If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.<p>**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.|
+|Configure Windows Defender SmartScreen|Windows 10 or later|This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on.<p>If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off.<p>If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on.<p>If you don’t configure this setting, employees can choose whether to use Windows Defender SmartScreen.|**Not configured (default):** Employees can choose whether to use Windows Defender SmartScreen.<p>**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.<p>**Disabled:** Turns off Windows Defender SmartScreen.|
+|Disable lockdown of Start pages|Windows 10, Version 1703|This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect.<p>**Note**<br>This setting only applies when you're using the “Configure Start pages" setting.<p>**Important**<br>This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).<p>If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them.<p>If you disable or don't configure this setting, employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages.|**Enabled:** You’re unable to lock down any Start pages that are configured using the "Configure Start pages" setting, which means that your employees can modify them.<p>**Disabled or not configured (default):** Employees can't change any Start pages configured using the "Configure Start pages" setting.|
+|Keep favorites in sync between Internet Explorer and Microsoft Edge|Windows 10, Version 1703|This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.<p>If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.<p>If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge.|**Enabled:** Employees can sync their Favorites between Internet Explorer and Microsoft Edge.<p>**Disabled or not configured (default):** Employees can’t sync their Favorites between Internet Explorer and Microsoft Edge.|
+|Prevent access to the about:flags page|Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.<p>If you enable this policy setting, employees can’t access the about:flags page.<p>If you disable or don’t configure this setting, employees can access the about:flags page.|**Enabled:** Stops employees from using the about:flags page.<p>**Disabled or not configured (default):** Lets employees use the about:flags page.|
+|Prevent bypassing Windows Defender SmartScreen prompts for files|Windows 10, Version 1511 or later	|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.<p>If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files.<p>If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.<p>**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.|
+|Prevent bypassing Windows Defender SmartScreen prompts for sites|Windows 10, Version 1511 or later|This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites.<p>If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site.<p>If you disable or don’t configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site.|**Enabled:** Stops employees from ignoring the Windows Defender SmartScreen warnings about potentially malicious sites.<p>**Disabled or not configured (default):** Lets employees ignore the Windows Defender SmartScreen warnings about potentially malicious sites and continue to the site.|
+|Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|Windows 10, Version 1703|This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.<p>If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.<p>If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|**Enabled:** Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu.<p>**Disabled or not configured (default):** Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.|
+|Prevent the First Run webpage from opening on Microsoft Edge|Windows 10, Version 1703|This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time.<p>If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time.<p>If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time.|**Enabled:** Employees won't see the First Run page when opening Microsoft Edge for the first time.<p>**Disabled or not configured (default):** Employees will see the First Run page when opening Microsoft Edge for the first time.|
+|Prevent using Localhost IP address for WebRTC|Windows 10, Version 1511 or later|This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.<p>If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.<p>If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol.|**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.<p>**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol.|
+|Send all intranet sites to Internet Explorer 11|Windows 10 or later|This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.<p>If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge.|**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.<p>**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge.|
+|Set default search engine|Windows 10, Version 1703|This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes.<p>**Important**<br>This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).<p>If you enable this setting, you can choose a default search engine for your employees. If this setting is enabled, you must also add the default engine to the “Set default search engine” setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add:<br>`https://fabrikam.com/opensearch.xml`<p>**Note**<br>If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.<p>If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.<p>If you don't configure this setting, the default search engine is set to the one specified in App settings.|**Enabled:** You can choose a default search engine for your employees.<p>**Disabled:** The policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.<p>**Not configured (default):** The default search engine is set to the one specified in App settings.|
+|Show message when opening sites in Internet Explorer|Windows 10, Version 1607 and later|This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears.|**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.<p>**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.|
 
-##  Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
+## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge
 If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page.
 
-> **Note**<br>
+> [!NOTE]
 > The **Supports** column uses these options:
-
+> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
--   **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only.
+> - **Mobile.** Supports Windows 10 Mobile devices only.
-
+> - **Both.** Supports both desktop and mobile devices.
--   **Mobile.** Supports Windows 10 Mobile devices only.
-
--   **Both.** Supports both desktop and mobile devices.
 
 All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy.
 
-| Policy name |Supported versions |Supported device |Details |
+|Policy name|Supported versions|Supported device|Details|
 |-------------|-------------------|-----------------|--------|
-|AllowAutofill|Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Autofill to complete form fields.</li><li>**1 (default).** Employees can use Autofill to complete form fields.</li></ul></li></ul>
+|AllowAddressBarDropdown|Windows 10, Version 1703|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."</li><li>**1 (default).** Allowed. Address bar drop-down is enabled.</li></ul></li></ul>|
-|AllowBrowser |Windows 10 or later |Mobile |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Microsoft Edge.</li><li>**1 (default).** Employees can use Microsoft Edge.</li></ul></li></ul>|
+|AllowAutofill|Windows 10 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Autofill to complete form fields.</li><li>**1 (default).** Employees can use Autofill to complete form fields.</li></ul></li></ul>|
-|AllowCookies |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Allows all cookies from all sites.</li><li>**1.** Blocks only cookies from 3rd party websites</li><li>**2.** Blocks all cookies from all sites.</li></ul></li></ul> |
+|AllowBrowser|Windows 10 or later|Mobile|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowBrowser</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Microsoft Edge.</li><li>**1 (default).** Employees can use Microsoft Edge.</li></ul></li></ul>|
-|AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools</li><li>**Data type:** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can't use the F12 Developer Tools</li><li>**1 (default).** Employees can use the F12 Developer Tools</li></ul></li></ul> |
+|AllowCookies|Windows 10 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Allows all cookies from all sites.</li><li>**1.** Blocks only cookies from 3rd party websites</li><li>**2.** Blocks all cookies from all sites.</li></ul></li></ul>|
-|AllowDoNotTrack |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.</li><li>**1.** Employees can send Do Not Track headers to websites requesting tracking info.</li></ul></li></ul> |
+|AllowDeveloperTools|Windows 10, Version 1511 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools</li><li>**Data type:** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can't use the F12 Developer Tools</li><li>**1 (default).** Employees can use the F12 Developer Tools</li></ul></li></ul>|
-|AllowExtensions |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Edge Extensions.</li><li>**1 (default).** Employees can use Edge Extensions.</li></ul></li></ul> |
+|AllowDoNotTrack|Windows 10 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info.</li><li>**1.** Employees can send Do Not Track headers to websites requesting tracking info.</li></ul></li></ul>|
-|AllowInPrivate |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use InPrivate browsing.</li><li>**1 (default).** Employees can use InPrivate browsing.</li></ul></li></ul> |
+|AllowExtensions|Windows 10, Version 1607 and later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Edge Extensions.</li><li>**1 (default).** Employees can use Edge Extensions.</li></ul></li></ul>|
-|AllowPasswordManager |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can't use Password Manager to save passwords locally.</li><li>**1.** Employees can use Password Manager to save passwords locally.</li></ul></li></ul> |
+|AllowFlash|Windows 10 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Not allowed. Employees can’t use Adobe Flash</li><li>**1 (default).** Allowed. Employees can use Adobe Flash.</li></ul></li></ul>|
-|AllowPopups |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.</li><li>**1.** Turns on Pop-up Blocker, stopping pop-up windows.</li></ul></li></ul> |
+|AllowFlashClickToRun|Windows 10, Version 1703|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.**  Adobe Flash content is automatically loaded and run by Microsoft Edge</li><li>**1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.</li></ul></li></ul>|
-|AllowSearchSuggestions<br>inAddressBar |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.</li><li>**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.</li></ul></li></ul> |
+|AllowInPrivate|Windows 10, Version 1511 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use InPrivate browsing.</li><li>**1 (default).** Employees can use InPrivate browsing.</li></ul></li></ul>|
-|AllowSmartScreen |Windows 10 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off SmartScreen Filter.</li><li>**1.** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.</li></ul></li></ul> |
+|AllowMicrosoftCompatibilityList|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Additional search engines aren't allowed and the default can’t be changed in the Address bar.</li><li>**1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.</li></ul></li></ul>|
-|EnterpriseModeSiteList |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Not configured.</li><li>**1 (default).** Use the Enterprise Mode Site List, if configured.</li><li>**2.** Specify the location to the site list.</li></ul><p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.</li></ul>|
+|AllowPasswordManager|Windows 10 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can't use Password Manager to save passwords locally.</li><li>**1.** Employees can use Password Manager to save passwords locally.</li></ul></li></ul>|
-|Favorites |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the **Favorite** URLs for your employees.<p>**Example:**<br>`<contoso.com>`<br>`<fabrikam.com>`<p>**Note**<br> URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.</li></ul> |
+|AllowPopups|Windows 10 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off Pop-up Blocker, allowing pop-up windows.</li><li>**1.** Turns on Pop-up Blocker, stopping pop-up windows.</li></ul></li></ul>|
-|FirstRunURL |Windows 10, Version 1511 or later |Mobile |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the first run URL for your employees.<p>**Example:**<br>`<contoso.one>`</li></ul></li></ul> |
+|AllowSearchEngineCustomization|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Additional search engines are not allowed and the default can’t be changed in the Address bar.</li><li>**1 (default).** Additional search engines are allowed and the default can be changed in the Address bar.</li></ul></li></ul>|
-|HomePages |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the Home page URLs for your employees.<p>**Example:**<br>`<contoso.com/support><fabrikam.com/support>`</li></ul></li></ul> |
+|AllowSearchSuggestions<br>inAddressBar|Windows 10 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can’t see search suggestions in the Address bar of Microsoft Edge.</li><li>**1.** Employees can see search suggestions in the Address bar of Microsoft Edge.</li></ul></li></ul>|
-|PreventAccessToAbout<br>FlagsInMicrosoftEdge |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can access the about:flags page in Microsoft Edge.</li><li>**1.** Employees can't access the about:flags page in Microsoft Edge.</li></ul></li></ul> |
+|AllowSmartScreen|Windows 10 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off Windows Defender SmartScreen.</li><li>**1.** Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software.</li></ul></li></ul>|
-|PreventSmartScreen<br>PromptOverride |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings.</li><li>**1.** Employees can't ignore SmartScreen warnings.</li></ul></li></ul> |
+|ClearBrowsingDataOnExit|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1.** Browsing data is cleared on exit.</li></ul></li></ul>|
-|PreventSmartScreen<br>PromptOverrideFor<br>Files |Windows 10, Version 1511 or later |Both |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles </li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can ignore SmartScreen warnings for files.</li><li>**1.** Employees can't ignore SmartScreen warnings for files.</li></ul></li></ul> |
+|ConfigureAdditionalSearchEngines|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Additional search engines are not allowed.</li><li>**1.**  Additional search engines are allowed.</li></ul></li></ul>|
-|PreventUsingLocalHost<br>IPAddressForWebRTC |Windows 10, Version 1511 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul></li></ul> |
+|DisableLockdownOfStartPages|Windows 10, Version 1703|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.</li><li>**1.** Disable lockdown of the Start pages and allow users to modify them.</li></ul></li></ul>|
-|SendIntranetTraffic<br>toInternetExplorer |Windows 10 or later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.</li><li>**1.** Automatically opens all intranet sites using Internet Explorer 11.</li></ul></li></ul> |
+|EnterpriseModeSiteList|Windows 10 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Not configured.</li><li>**1 (default).** Use the Enterprise Mode Site List, if configured.</li><li>**2.** Specify the location to the site list.</li></ul><p>**Note**<br>If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.</li></ul>|
-|ShowMessageWhen<br>OpeningInteretExplorer<br>Sites |Windows 10, Version 1607 and later |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul></li></ul> |
+|Favorites|Windows 10, Version 1511 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/Favorites</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the **Favorite** URLs for your employees.<p>**Example:**<br>`<contoso.com>`<br>`<fabrikam.com>`<p>**Note**<br> URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11.</li></ul>|
+|FirstRunURL|Windows 10, Version 1511 or later|Mobile|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/FirstRunURL</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the first run URL for your employees.<p>**Example:**<br>`<contoso.one>`</li></ul></li></ul>|
+|HomePages|Windows 10, Version 1511 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/HomePages</li><li>**Data type.** String</li><li>**Allowed values:**<ul><li>Configure the Start page (previously known as Home page) URLs for your employees.<p>**Example:**<br>`<contoso.com/support><fabrikam.com/support>`</li></ul></li></ul>|
+|PreventAccessToAbout<br>FlagsInMicrosoftEdge|Windows 10, Version 1607 and later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees can access the about:flags page in Microsoft Edge.</li><li>**1.** Employees can't access the about:flags page in Microsoft Edge.</li></ul></li></ul>|
+|PreventFirstRunPage|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Employees see the First Run webpage.</li><li>**1.** Employees don't see the First Run webpage.</li></ul></li></ul>|
+|PreventLiveTileDataCollection|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.</li><li>**1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.</li></ul></li></ul>|
+|PreventSmartScreenPromptOverride|Windows 10, Version 1511 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Turns off Windows Defender SmartScreen.</li><li>**1.** Turns on Windows Defender SmartScreen.</li></ul></li></ul>|
+|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 or later|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.</li><li>**1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.</li></ul></li></ul>|
+|PreventUsingLocalHost<br>IPAddressForWebRTC|Windows 10, Version 1511 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Shows an employee's LocalHost IP address while using the WebRTC protocol.</li><li>**1.** Doesn't show an employee's LocalHost IP address while using the WebRTC protocol.</li></ul></li></ul>|
+|SendIntranetTraffic<br>toInternetExplorer|Windows 10 or later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Automatically opens all websites, including intranet sites, using Microsoft Edge.</li><li>**1.** Automatically opens all intranet sites using Internet Explorer 11.</li></ul></li></ul>|
+|SetDefaultSearchEngine|Windows 10, Version 1703|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** The default search engine is set to the one specified in App settings.</li><li>**1.** Allows you to configure the default search engine for your employees.</li></ul></li></ul>|
+|ShowMessageWhen<br>OpeningInteretExplorer<br>Sites|Windows 10, Version 1607 and later|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1.** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul></li></ul>|
+|SyncFavoritesBetweenIEAndMicrosoftEdge|Windows 10, Version 1703|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0 (default).** Synchronization is turned off.</li><li>**1.** Synchronization is turned on.</li></ul></li></ul>|
+
 
 ## Microsoft Edge and Windows 10-specific Group Policy settings
 These are additional Windows 10-specific Group Policy settings that work with Microsoft Edge.
 
-|Group Policy setting |Description   |Options  |
+|Group Policy setting|Description|Options|
-| --------------------|--------------|---------|
+|--------------------|--------------|---------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Whether employees can use Cortana. |**Enabled or not configured:** Employees can use Cortana on their devices.<p>**Disabled:** Stops employees from using Cortana on their devices.<p>**Note** Employees can still perform searches even with Cortana turned off. |
+|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Whether employees can use Cortana.|**Enabled or not configured:** Employees can use Cortana on their devices.<p>**Disabled:** Stops employees from using Cortana on their devices.<p>**Note** Employees can still perform searches even with Cortana turned off.|
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |Whether employees can use the **Sync your Settings** options to sync their settings to and from their device. |**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting.<p>**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device. |
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync|Whether employees can use the **Sync your Settings** options to sync their settings to and from their device.|**Enabled:** Turns off the **Sync your Settings** options and none of the **Sync your Setting** groups are synced on the device. You can use the **Allow users to turn syncing on** option to turn the feature off by default, but to let the employee change this setting.<p>**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting employees pick what can sync on their device.|
-|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings |Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites. |**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting.<p>**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device. |
+|Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync browser settings|Whether a browser group can use the **Sync your Settings** options to sync their info to and from their device. This includes settings and info like **History** and Favorites.|**Enabled:** Turns off the **Sync your Settings** options so that browser groups are unable to sync their settings and info. You can use the **Allow users to turn browser syncing on** option to turn the feature off by default, but to let the employee change this setting.<p>**Disabled or not configured (default):** Turns on the **Sync your Settings** area by default, letting browser groups pick what can sync on their device.|
 
 ## Microsoft Edge and Windows 10-specific MDM policy settings
 These are additional Windows 10-specific MDM policy settings that work with Microsoft Edge.
 
-|MDM Policy name |Supports      |Details             |
+|MDM Policy name|Supports|Details|
-|----------------|--------------|------------------- |
+|----------------|--------------|-------------------|
-|AllowCortana |Both | <ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Cortana on their devices.</li><li>**1 (default).** Employees can use Cortana on their devices.</li></ul></li></ul> |
+|AllowCortana|Both|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t use Cortana on their devices.</li><li>**1 (default).** Employees can use Cortana on their devices.</li></ul></li></ul>|
-|AllowSyncMySettings |Desktop |<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t sync settings between PCs.</li><li>**1 (default).** Employees can sync between PCs.</li></ul></li></ul> |
+|AllowSyncMySettings|Desktop|<ul><li>**URI full path.** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings</li><li>**Data type.** Integer</li><li>**Allowed values:**<ul><li>**0.** Employees can’t sync settings between PCs.</li><li>**1 (default).** Employees can sync between PCs.</li></ul></li></ul>|
 
 ## Related topics
 * [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
-* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
+* [Mobile Data Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
- 
-
- 
-
- 
-
-
-

education/windows/index.md

@@ -63,6 +63,8 @@ author: CelesteDG
 
  <div class="side-by-side"> <div class="side-by-side-content">
  <div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
+ <div class="side-by-side-content-right"><p></p>
+ </div>
  </div>
 
 ## Windows 8.1

windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md

@@ -81,11 +81,11 @@ For more information, see Windows Defender SmartScreen overview.
 
 Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
 
--   **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
+-   **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
 
 -   **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content.
 
--   **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. The goal is to identify new, emerging malware and block it in the first critical hours of its lifetime to limit exposure to the broader PC ecosystem.
+-   **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
 
 -   **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
 

windows/update/waas-optimize-windows-10-updates.md

@@ -74,6 +74,9 @@ The Windows Update client will try to download Express first, and under certain
 
 At this point, the download is complete and the update is ready to be installed.
 
+>[!TIP]
+>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
+
 ## Steps to manage updates for Windows 10
 
 <table><tbody>

windows/whats-new/security.md

@@ -1,204 +0,0 @@
----
-title: What's new in Windows 10 security (Windows 10)
-description: There are several key client security improvements Microsoft has made in Windows 10.
-ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81
-keywords: secure, data loss prevention, multifactor authentication
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: TrudyHa
----
-
-# What's new in Windows 10 security
-
-There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources.
-
-Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware.
-
-In addition to new, impactful threat mitigations, Windows 10 includes several improvements in built-in information protection, including a new data loss-prevention (DLP) component. These improvements allow organizations to separate business and personal data easily, define which apps have access to business data, and determine how data can be shared (for example, copy and paste). Unlike other DLP solutions, Microsoft integrated this functionality deeply into the Windows platform, offering the same type of security capabilities that container-based solutions offer but without altering such user experiences as requiring mode changes or switching applications.
-
-Finally, new identity-protection and access control features make it easier to implement two-factor authentication (2FA) across the entire enterprise, which empowers organizations to transition away from passwords. Windows 10 introduces Microsoft Passport, a new 2FA user credential built directly into the operating system that users can access with either a PIN or a new biometrics-driven capability called Windows Hello. Together, these technologies provide a simple logon experience for users, with the robust security of multifactor authentication (MFA). Unlike third-party multifactor solutions, Microsoft Passport is designed specifically to integrate with Microsoft Azure Active Directory (Azure AD) and hybrid Active Directory environments and requires minimal administrative configuration and maintenance.
-
-## Threat resistance
-
-Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge.
-
-Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks.
-
-### Virtualization-based security
-
-In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised.
-
-Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services:
-
--   **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#configurable-code-integrity) section.
--   **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
-
-**Note**<br>
-To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window.
- 
-VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section.
-
-### Device Guard
-
-Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-based-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section.
-
-Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
-
-For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section.
-
-New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. 
-
-Going forward, all devices will fall into one of the following three categories:
--   **Device Guard capable**. These devices will meet all the hardware requirements for Device Guard. You will still need to properly prepare devices with components that require enablement or configuration for Device Guard deployment. Device drivers on the device must be compatible with HVCI and may require updates from the original equipment manufacturer (OEM).
--   **Device Guard ready**. Device Guard-ready devices will come directly from the OEM with all necessary hardware components and drivers to run Device Guard. In addition, all of these components will be pre-configured and enabled, which minimizes the effort needed to deploy Device Guard. No interaction with the BIOS is necessary to deploy these devices, and you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to manage them.
--   **Not supported for Device Guard**. Many current devices cannot take advantage of all Device Guard features because they don’t have the required hardware components or HVCI-compatible drivers. However, most of these devices can enable some Device Guard features, such as configurable code integrity.
-
-For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
-
-### Configurable code integrity
-
-*Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards.
-
-Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*.
-Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog.
-
-**Note**<br>
-Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security.
- 
-Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks.
-
-**Note**<br>
-For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
- 
-The process to create, test, and deploy a code integrity policy is as follows:
-1.  **Create a code integrity policy.** Use the Windows PowerShell cmdlet **New-CIPolicy**, available in Windows 10, to create a new code integrity policy. This cmdlet scans a PC for all listings of a specific policy level. For example, if you set the rule level to **Hash**, the cmdlet would add hash values for all discovered binaries to the policy that resulted from the scan. When you enforce and deploy the policy, this list of hash values determines exactly which binaries are allowed to run on the machines that receive the policy. Code integrity policies can contain both a kernel mode and user mode execution policy, restricting what can run in either or both modes. Finally, when created, this policy is converted to binary format so that the managed client can consume it when the policy is copied to the client’s code integrity folder.
-2.  **Audit the code integrity policy for exceptions.** When you first create a code integrity policy, audit mode is enabled by default so that you can simulate the effect of a code integrity policy without actually blocking the execution of any binaries. Instead, policy exceptions are logged in the CodeIntegrity event log so that you can add the exceptions to the policy later. Be sure to audit any policy to discover potential issues before you deploy it.
-3.  **Merge the audit results with the existing policy.** After you have audited a policy, you can use the audit events to create an additional code integrity policy. Because each machine processes just one code integrity policy, you must merge the file rules within this new code integrity policy with the original policy. To do so, run the **Merge-CIPolicy** cmdlet, which is available in Windows 10 Enterprise.
-4.  **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators.
-5.  **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process.
-
-**Note**<br>
-Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education.
- 
-You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md).
-
-### <a href="" id="measured-boot-and-remote-attestation-"></a>Measured Boot and remote attestation
-
-Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state.
-
-Measured Boot uses one of TPM’s key functionalities and provides unique benefits to secure organizations. The feature can accurately and securely report the state of a machine’s trusted computing base (TCB). By measuring a system’s TCB, which consists of crucial startup-related security components such as firmware, the Operating System Loader, and drivers and software, the TPM can store the current device state in platform configuration registers (PCRs). When this measurement process is complete, the TPM cryptographically signs this PCR data so that Measured Boot information can be sent to either the Windows cloud-based device health attestation service or a non-Microsoft equivalent for signing or review. For example, if a company only wants to validate a computer’s BIOS information before allowing network access, PCR\[0\], which is the PCR that contains BIOS information, would be added to the policy for the attestation server to validate. This way, when the attestation server receives the manifest from the TPM, the server knows which values that PCR should contain.
-
-Measured Boot by itself does not prevent malware from loading during the startup process, but it does provide a TPM-protected audit log that allows a trusted remote attestation server to evaluate the PC’s startup components and determine its trustworthiness. If the remote attestation server indicates that the PC loaded an untrusted component and is therefore out of compliance, a management system can use the information for conditional access scenarios to block the PC’s access to network resources or perform other quarantine actions.
-
-###  Improvements in Windows Defender
-
-For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default.
-
-In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are:
-
--   **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM.
--   **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly.
--   **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware.
--   **Simplified management.** In Windows 10, you can manage Windows Defender much more easily than ever before. Manage settings through Group Policy, Intune, or Configuration Manager.
-
-## Information protection
-
-Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Windows Information Protection (WIP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites.
-
-Unlike some current DLP solutions, WIP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about WIP in Windows 10, see the [Windows Information Protection](#windows-information-protection) section.
-
-In addition to WIP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements in BitLocker](#bitlocker) section.
-
-### Windows Information Protection
-
-DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes a Windows Information Protection (WIP) feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device.
-
-You can configure WIP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that WIP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The WIP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN).
-
-To manage WIP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about WIP, see [Protect your enterprise data using Windows Information Protection](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
-
-### <a href="" id="bitlocker"></a>Improvements in BitLocker
-
-With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further.
-
-Microsoft has made the following key improvements to BitLocker:
--   **Automatic drive encryption through Device Encryption.** By default, BitLocker is automatically enabled on clean installations of Windows 10 if the device has passed the Device Encryption Requirements test from the Windows Hardware Certification Kit. Many Windows 10–compatible PCs will meet this requirement. This version of BitLocker is called Device Encryption. Whenever devices on which Drive Encryption is enabled join your domain, the encryption keys can be escrowed in either Active Directory or MBAM.
--   **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk.
--   **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md).
--   **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required.
-
-## Identity protection and access control
-
-User credentials are vital to the overall security of an organization’s domain. Until Windows 10, user name-password combinations were the primary way for a person to prove his or her identity to a machine or system. Unfortunately, passwords are easily stolen, and attackers can use them remotely to spoof a user’s identity. Some organizations deploy public key infrastructure (PKI)-based solutions, like smart cards, to address the weaknesses of passwords. Because of the complexity and costs associated with these solutions, however, they’re rarely deployed and, even when they are used, frequently used only to protect top-priority assets such as the corporate VPN. Windows 10 introduces new identity-protection and access control features that address the weaknesses of today’s solutions and can effectively remove the need for user passwords in an organization.
-
-Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechanism built directly into the operating system. The two factors of authentication include a combination of something you know (for example, a PIN), something you have (for example, your PC, your phone), or something about the user (for example, biometrics). With Microsoft Passport enabled, when you log on to a computer, Microsoft Passport is responsible for brokering user authentication around the network, providing the same SSO experience with which you’re familiar. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
-
-The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section.
-
-Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section.
-
-### <a href="" id="passport"></a>Microsoft Passport
-
-Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user.
-
-Microsoft Passport introduces a strong 2FA mechanism integrated directly into Windows. Many organizations use 2FA today but don’t integrate its functionality into their organization because of the expense and time required to do so. Therefore, most organizations use MFA only to secure VPN connections and the highest-value resources on their network, and then use traditional passwords for logon to devices and to navigate the rest of the network. Microsoft Passport is unlike these other forms of 2FA in that Microsoft designed it specifically to address the complexity, cost, and user experience challenges of traditional 2FA solutions, making it simple to deploy throughout the enterprise through existing infrastructure and devices.
-
-Microsoft Passport can use the biometric information from Windows Hello or a unique PIN with cryptographic signing keys stored in the device’s TPM. For organizations that don’t have an existing PKI, the TPM—or Windows, when no TPM is present—can generate and protect these keys. If your organization has an on-premises PKI or wants to deploy one, you can use certificates from the PKI to generate the keys, and then store them in the TPM. When the user has registered the device and uses Windows Hello or a PIN to log in to the device, the Microsoft Passports private key fulfills any subsequent authentication requests. Microsoft Passport combines the deployment flexibility of virtual smart cards with the robust security of physical smart cards without requiring the extra infrastructure components needed for traditional smart card deployments and hardware such as cards and readers.
-
-In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC.
-
-### <a href="" id="hello"></a>Windows Hello
-Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent.
-
-Windows Hello is the enterprise-grade biometric integration feature in Windows 10. This feature allows users to use their face, iris, or fingerprint rather than a password to authenticate. Although biometric logon capabilities have been around since the Windows XPoperating system, they have never been as easy, seamless, and secure as they are in Windows 10. In previous uses of biometrics in Windows, the operating system used the biometric information only to unlock the device; then, behind the scenes the user’s traditional password was used to access resources on the organization’s network. Also, the IT organization had to run additional software to configure the biometric devices to log in to Windows or applications. Windows Hello is integrated directly into the operating system and so doesn’t require additional software to function. However, as with any other biometrics-based login, Windows Hello requires specific hardware to function:
--   **Facial recognition.** To establish facial recognition, Windows Hello uses special infrared (IR) cameras and anti-spoofing technology to reliably tell the difference between a photograph and a living person. This requirement ensures that no one can take a person’s PC and spoof his or her identity simply by obtaining a high-definition picture. Many manufacturers already offer PC models that include such cameras and are therefore compatible with Windows Hello. For those machines that don’t currently include these special cameras, several external cameras are available.
--   **Fingerprint recognition.** Fingerprint sensors already exist in a large percentage of consumer and business PCs. Most of them (whether external or integrated into laptops or USB keyboards) work with Windows Hello. The detection and anti-spoofing technology available in Windows 10 is much more advanced than in previous versions of Windows, making it more difficult for attackers to deceive the operating system.
--   **Iris recognition.** Like facial recognition, iris-based recognition uses special IR cameras and anti-spoofing technology to reliably tell the difference between the user’s iris and an impostor. Iris recognition will be available in mobile devices by the end of 2016 but is also available for independent hardware vendors and OEMs to incorporate into PCs.
-With Windows Hello in conjunction with Microsoft Passport, users have the same SSO experience they would if they logged on with domain credentials: they simply use biometrics, instead. In addition, because no passwords are involved, users won’t be calling the help desk saying that they have forgotten their password. For an attacker to spoof a user’s identity, he or she would have to have physical possession of both the user and the device on which the user is set up for Windows Hello. From a privacy perspective, organizations can rest assured that the biometric data Windows Hello uses is not centrally stored; can’t be converted to images of the user’s fingerprint, face, or iris; and is designed never to leave the device. In the end, Windows Hello and Microsoft Passport can completely remove the necessity for passwords for Azure AD and hybrid Azure AD/Active Directory environments and the apps and web services that depend on them for identity services. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section.
-
-### Credential Guard
-
-Pass the hash is the most commonly used derived credential attack today. This attack begins with an attacker extracting a user account’s derived credentials (hash value) from memory. Then, by using a product such as Mimikatz, the attacker reuses (passes) those credentials to other machines and resources on the network to gain additional access. Microsoft designed Credential Guard specifically to eliminate derived credential theft and abuse in pass-the-hash–type attacks.
-
-Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash.
-
-For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-based-security) section.
-
-> [!NOTE]  
-> Starting in Windows 10, version 1607, you can configure Credential Guard on a VM.
-
- 
-The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md).
-
-## <a href="" id="hardware"></a>Windows 10 hardware considerations
-
-Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements.
-
-Table 1. Windows 10 hardware requirements
-
-| Windows 10 feature                              | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only |
-|-------------------------------------------------|-----|-------------------------------------|---------------------------|------|------------|-----------------------|
-| Credential Guard                                | R   | N                                   | Y                         | Y    | Y          | Y                     |
-| Device Guard                                    | N   | Y                                   | Y                         | Y    | Y          | Y                     |
-| BitLocker                                       | R   | N                                   | N                         | N    | N          | N                     |
-| Configurable code integrity                     | N   | N                                   | N                         | N    | R          | R                     |
-| Microsoft Passport                              | R   | N                                   | N                         | N    | N          | N                     |
-| Windows Hello                                   | R   | N                                   | N                         | N    | N          | N                     |
-| VBS                                             | N   | Y                                   | Y                         | Y    | N          | Y                     |
-| UEFI Secure Boot                                | R   | N                                   | N                         | N    | Y          | N                     |
-| Device health attestation through Measured Boot | Y   | N                                   | N                         | N    | Y          | Y                     |
- 
-
-**Note**<br>
-In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature.
- 
-## Related topics
-
-- [Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=717550)
-- [Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=717551)
-- [Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md)
-- [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md)
-- [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md)
-- [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md)