Merged PR 3124: 9/11 AM Publish

devices/surface-hub/manage-surface-hub.md

@@ -40,3 +40,6 @@ Learn about managing and updating Surface Hub.
 | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
 | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 
+## Related topics
+
+- [View Power BI presentation mode on Surface Hub & Windows 10](https://powerbi.microsoft.com/documentation/powerbi-mobile-win10-app-presentation-mode/)

windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md

@@ -36,12 +36,12 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
 1. Open an elevated Windows PowerShell prompt.
 2. Use the following command to install the Active Directory Certificate Services role.   
     ```PowerShell
-    Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools
+    Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
     ```
 
 3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.   
     ```PowerShell
-    Install-AdcsCertificateAuthority
+    Install-AdcsCertificationAuthority
     ```   
     
 ## Configure a Production Public Key Infrastructure

windows/application-management/TOC.md

@@ -100,5 +100,6 @@
 #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
 ## [Service Host process refactoring](svchost-service-refactoring.md)
+## [Per User services in Windows](per-user-services-in-windows.md)
 ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
 ## [Change history for Application management](change-history-for-application-management.md)

windows/application-management/per-user-services-in-windows.md

@@ -0,0 +1,169 @@
+---
+title: Per-user services in Windows 10 and Windows Server 2016
+description: Learn about per-user services introduced in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: elizapo
+author: lizap
+ms.date: 08/14/2017
+---
+
+# Per-user services in Windows 10 and Windows Server 2016
+
+Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. 
+
+> [!NOTE]
+> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
+
+You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**.
+
+> [!IMPORTANT]
+> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. 
+
+Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
+
+## Per-user services
+
+Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly.
+
+| Key name               | Display name                            | Default start type | Dependencies | Description                                                                                                                                                                           |
+|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| CDPUserSvc             | CDPUserSvc                              | Auto               |              | Used for Connected Devices Platform scenarios                                                                                                                                         |
+| OneSyncSvc             | Sync Host                               | Auto (delayed)     |              | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running.              |
+| PimIndexMaintenanceSvc | Contact Data                            | Manual             | UnistoreSvc  | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts.                                                  |
+| UnistoreSvc            | User Data Storage                       | Manual             |              | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly.      |
+| UserDataSvc            | User Data Access                        | Manual             | UnistoreSvc  | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. |
+| WpnUserService         | Windows Push Notifications User Service | Manual             |              | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw.                                        |
+
+## Disable per-user services
+
+The template service isn't displayed in the Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a per-user service.
+
+> [!NOTE]
+> Disabling a per-user service simply means that it is created in a stopped and disabled state. When the user signs out, the per-user service is removed.
+
+You can't manage all of the per-user service templates services using normal Group Policy management methods. Because the per-user services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. 
+
+Additionally, there are four template services that can't be managed with a security template:
+- PimIndexMaintenanceSvc
+- UnistoreSvc
+- UserDataSvc
+- WpnUserService
+
+In light of these restrictions, you can use the following methods to manage per-user services template services:
+
+- A combination of a security template and a script or Group Policy preferences registry policy
+- Group Policy preferences for all of the services
+- A script for all of the services
+
+### Manage template services using a security template
+
+You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information.
+
+device-security/security-policy-settings/administer-security-policy-settings
+
+For example: 
+
+```
+[Unicode]
+Unicode=yes
+[Version]
+signature="$CHICAGO$"
+Revision=1
+[Service General Setting]
+"CDPUserSVC".4,""
+```
+
+### Manage template services using Group Policy preferences
+
+If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences.
+
+1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**.
+
+2. Create a new Group Policy Object (GPO) or use an existing GPO.  
+
+3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor.
+
+4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry.
+
+5. Right-click **Registry** > **New** > **Registry Item**.
+
+   ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) 
+   
+6. Make sure that  HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
+
+   ![Choose HKLM](media/gpp-hklm.png)  
+    
+7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
+
+   ![Select Start](media/gpp-svc-start.png)   
+   
+8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. 
+
+   ![Startup Type is Disabled](media/gpp-svc-disabled.png)   
+   
+9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.  
+
+### Managing Template Services with reg.exe
+
+If you cannot use GPP to manage the per-user services you can edit the registry with reg.exe. 
+To disable the Template Services change the Startup Type for each service to 4 (disabled). 
+For example:
+
+```code
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
+REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
+``` 
+
+> [!CAUTION]
+> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
+
+### Managing Template Services with regedit.exe 
+
+If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
+
+![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) 
+
+> [!CAUTION]
+> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
+
+### Manage template services by modifying the Windows image
+
+If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.
+
+### Use a script to manage per-user services
+
+You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment.
+
+Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396):
+
+```
+sc.exe configure <service name> start= disabled
+```
+Note that the space after "=" is intentional.
+
+Sample script using the [Set-Service PowerShell cmdlet](https://technet.microsoft.com/library/ee176963.aspx):
+
+```powershell
+Set-Service <service name> -StartupType Disabled
+```
+
+## View per-user services in the Services console (services.msc)
+
+As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the <service name>_LUID format (where LUID is the locally unique identifier).
+
+For example, you might see the following per-user services listed in the Services console:
+
+- CPDUserSVC_443f50
+- ContactData_443f50
+- Sync Host_443f50
+- User Data Access_443f50
+- User Data Storage_443f50

windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md

@@ -18,9 +18,10 @@ Describes the best practices, location, values, policy management and security c
 ## Reference
 
 This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account.
-When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges. By default, this setting is set to **Disabled**.
+When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**.
 
->**Note:**  If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
+> [!NOTE]
+> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
  
 ### Possible values
 
@@ -30,11 +31,16 @@ When the Admin Approval Mode is enabled, the local administrator account functio
 
 -   Disabled
 
-    The built-in administrator account logs on in Windows XP Mode, and it runs all applications by default with full administrative privileges.
+    If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges
 
 ### Best practices
 
--   Do not enable the built-in administrator account on the client computer, but use the standard user account and User Account Control (UAC).
+-   It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account)
+
+    To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK.
+
+> [!NOTE]
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. 
 
 ### Location
 
@@ -53,27 +59,6 @@ The following table lists the actual and effective default values for this polic
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
  
-
-## To enable Admin Approval Mode
-If you wish to use Admin Approval Mode with an active built-in administrator account, follow these steps:
-
-1. In the search box, type gpedit.exe.
-2. From the Local Group Policy editor, navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**.
-
-   ![User Account Control: Admin Approval Mode for the built-in administrator account](images/uac-admin-approval-mode-for-the-built-in-administrator-account.png)
-
-3. Double-click the policy **UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account**.
-4. On the **Local Security Setting** tab, make sure that the **Enabled** radio button is selected and then click OK.
-5. Configure the local security setting  **UAC-Behavior-of-the-elevation-prompt-for-administrators-in-Admin-Approval-Mode** by setting it to **Prompt for consent on the secure desktop** and then click OK.
-
-    ![User Account Control: behavior of the elevation prompt for administrators in Admin Approval Mode](images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png)
-
-As an alternative way to carry out step 5, you can also type "UAC" in the search box, and then from the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
-
-![User Account Control notify me only when apps try to make changes to my pc](images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png)
-
-6. To activate the new setting, log out and then log in again.
-
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -88,10 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
- An attack vector for malicious programs is to discover the password of the administrator account because that user account was created for all installations of Windows. To address this risk, the built-in administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the administrator account is enabled, and the password must be changed the first time the Administrator logs on. In a default installation of a computer running at least Windows Vista, accounts with administrative control over the computer are initially set up in one of two ways:
-
--   If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.
--   If the computer is joined to a domain, no local administrator accounts are created. The enterprise or domain administrator must log on to the computer and create a local administrator account if one is warranted.
+One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer is not joined to a domain, the first user account you create has the equivalent permissions of a local administrator.
 
 ### Countermeasure
 

windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md

@@ -25,7 +25,8 @@ This policy setting determines the behavior of the elevation prompt for accounts
 -   **Elevate without prompting**
 
     Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.
-    >**Note:**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
+
+    **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
      
 -   **Prompt for credentials on the secure desktop**
 
@@ -33,7 +34,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
 
 -   **Prompt for consent on the secure desktop**
 
-    When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
+    When an operation requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.*
 
 -   **Prompt for credential**s
 
@@ -47,10 +48,17 @@ This policy setting determines the behavior of the elevation prompt for accounts
 
     This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege.
 
+\*If you have enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
+
+> [!NOTE]
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. 
+
 ### Best practices
 
 -   Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
 
+-   It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account)
+
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options

windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # Configure Windows Defender Application Guard policy settings

windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # Frequently asked questions - Windows Defender Application Guard 

windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # Prepare and install Windows Defender Application Guard

windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # System requirements for Windows Defender Application Guard

windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # Testing scenarios using Windows Defender Application Guard in your business or organization

windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -8,7 +8,6 @@ ms.pagetype: security
 author: eross-msft
 ms.author: lizross
 ms.date: 08/11/2017
-localizationpriority: high
 ---
 
 # Windows Defender Application Guard overview

windows/threat-protection/windows-information-protection/app-behavior-with-wip.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # How to collect Windows Information Protection (WIP) audit event logs

windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate

windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune

windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune

windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune

windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune

windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager

windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune

windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune

windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # General guidance and best practices for Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/limitations-with-wip.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Limitations while using Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/overview-create-wip-policy.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Create a Windows Information Protection (WIP) policy

windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Testing scenarios for Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/using-owa-with-wip.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Using Outlook on the web with Windows Information Protection (WIP)

windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ---
 
 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)