Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3mak

browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md

@@ -23,7 +23,7 @@ ms.sitesec: library
 
 You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
 
-The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance.
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
 
 **How Internet Explorer 11 looks for an updated site list**
 

browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md

@@ -23,8 +23,8 @@ ms.sitesec: library
 
 Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
 
-**Note**<br>
-We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+>[!NOTE]
+>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
 
  **To turn on Enterprise Mode using Group Policy**
 
@@ -45,7 +45,7 @@ Turning this setting on also requires you to create and store a site list. For m
 
     ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
 
-    -   **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"`
+    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
     -   **Local network:** `"SiteList"="\\network\shares\sites.xml"`
 

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -37,15 +37,15 @@ You can also configure Surface Hub to receive updates from both Windows Update f
 
 ## Surface Hub servicing model
 
-Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
 
 Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
-- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year.
 - **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
 
 In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
 
-The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
 
 For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
 
@@ -55,11 +55,9 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
 
 **To set up Windows Update for Business:**
 1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
-2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
 
 > [!NOTE]
-
 > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
 
 
@@ -70,29 +68,22 @@ This table gives examples of deployment rings.
 
 | Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
 | --------- | --------- | --------- | --------- | --------- | --------- |
-| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None.  | None.  | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Semi-annual channel  | None. | None.  | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel |  120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel |  180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
 
 
-### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
 
-**To manually configure Surface Hub to use CB or CBB:**
-1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 
-2. Select **Defer feature updates**.
-
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
 
 
 ### Configure when Surface Hub receives updates
 Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) policy for each ring.
 
 > [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdates) and [Update/PauseQualityUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausequalityupdates).
 
 
 ## Use Windows Server Update Services

windows/access-protection/access-control/microsoft-accounts.md

@@ -14,20 +14,12 @@ ms.pagetype: security
 
 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
 
-Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
+Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
 
-There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
-
-When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
-
-**Note**  
-This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
-
- 
+When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
 
 ## <a href="" id="bkmk-benefits"></a>How a Microsoft account works
 
-
 The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
 
 When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti
 **Important**  
 Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
 
- 
-
 ### How Microsoft accounts are created
 
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
+To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
 
-Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
+Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
 
 There are two methods for creating a Microsoft account:
 
 -   **Use an existing email address**.
 
-    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
+    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
 
 -   **Sign up for a Microsoft email address**.
 
@@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
 
 ### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
 
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
 
-The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
+- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
+- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
 
-1.  Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+#### Block all consumer Microsoft account user authentication
 
-2.  Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
+This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
+
+If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. 
+This applies both to existing users of a device and new users who may be added. 
+
+However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. 
+It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
+
+If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. 
+By default, this setting is **Disabled**.
+
+This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
+
+The path to this setting is:
+
+Computer Configuration\Administrative Templates\Windows Components\Microsoft account
+
+#### Accounts: Block Microsoft accounts
+
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
+
+There are two options if this setting is enabled:
+
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
+
+This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
+
+By default, this setting is **Not defined**.
+
+The path to this setting is:
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
 
 ### <a href="" id="bkmk-cfgconnectedaccounts"></a>Configure connected accounts
 
@@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a
 **Note**  
 Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
 
- 
-
 ### <a href="" id="bkmk-provisionaccounts"></a>Provision Microsoft accounts in the enterprise
 
 Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.

windows/access-protection/change-history-for-access-protection.md

@@ -11,6 +11,11 @@ author: brianlic-msft
 # Change history for access protection
 This topic lists new and updated topics in the [Access protection](index.md) documentation.
 
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
+
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|

windows/client-management/mdm/TOC.md

@@ -6,6 +6,7 @@
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
 ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
+## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
 ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
 ## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
 ## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

windows/client-management/mdm/devdetail-csp.md

@@ -178,6 +178,9 @@ The following diagram shows the DevDetail configuration service provider managem
 <a href="" id="devicehardwaredata"></a>**DeviceHardwareData**  
 <p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
+> [!Note]  
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
+
 <p style="margin-left: 20px">Supported operation is Get.
 
 ## Related topics

windows/client-management/mdm/devicemanageability-csp.md

@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability CSP
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
 
 For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. 
@@ -39,6 +42,8 @@ Added in Windows 10, version 1709. Provider ID of the configuration source.
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**  
 Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
 
+The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+
 Data type is string. Supported operations are Add, Get, Delete, and Replace.
 
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**  

windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md

@@ -0,0 +1,300 @@
+---
+title: Enable ADMX-backed policies in MDM
+description: Guide to configuring ADMX-backed policies in MDM
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Enable ADMX-backed policies in MDM
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This is a step-by-step guide to configuring ADMX-backed policies in MDM.
+
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. 
+
+Summary of steps to enable a policy:
+-	Find the policy from the list ADMX-backed policies. 
+-	Find the Group Policy related information from the MDM policy description.
+-	Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
+-	Create the data payload for the SyncML.
+
+## Enable a policy
+
+1.  Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.  
+	- GP English name
+    - GP name
+    - GP ADMX file name
+    - GP path
+
+2.  Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
+
+    1. Click **Start**, then in the text box type **gpedit**. 
+
+    2. Under **Best match**, click **Edit group policy** to launch it.  
+       
+       ![GPEdit search](images/admx-gpedit-search.png)
+
+    3. In **Local Computer Policy** navigate to the policy you want to configure.  
+    
+       In this example, navigate to **Administrative Templates >  System > App-V**.
+
+       ![App-V policies](images/admx-appv.png)
+
+    4. Double-click **Enable App-V Client**.  
+
+       The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
+
+       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
+
+3.  Create the SyncML  to enable the policy that does not require any parameter.  
+
+    In this example you configure **Enable App-V Client** to **Enabled**.
+
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+     
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
+        </Target>
+        <Data>&lt;Enabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+
+## Enable a policy that requires parameters  
+
+
+1. Create the SyncML  to enable the policy that requires parameters.
+
+    In this example, the policy is in **Administrative Templates >  System > App-V > Publishing**.
+
+    1.  Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
+
+        ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
+
+        ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
+
+    2.  Find the variable names of the parameters in the ADMX file.
+
+        You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+
+          ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
+
+    3.  Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
+
+    4.	Search for GP name **Publishing_Server2_policy**.
+
+
+    5.	Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
+    
+        Here is the snippet from appv.admx:
+
+    ``` syntax
+    <!--  Publishing Server 2  -->
+    <policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)" 
+            explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)" 
+            key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
+      <parentCategory ref="CAT_Publishing" />
+      <supportedOn ref="windows:SUPPORTED_Windows7" />
+      <elements>
+        <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
+        <text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
+        <enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>  
+        <enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+        <enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>
+        <enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+      </elements>
+    </policy>
+    ```
+
+    6.  From the \<elements>  tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
+
+        Here is the example XML for Publishing_Server2_Policy :
+        
+    ``` syntax
+    <data id="Publishing_Server2_Name_Prompt" value="Name"/>
+    <data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
+    <data id="Global_Publishing_Refresh_Options" value="1"/>
+    <data id="Global_Refresh_OnLogon_Options" value="0"/>
+    <data id="Global_Refresh_Interval_Prompt" value="15"/>
+    <data id="Global_Refresh_Unit_Options" value="0"/>
+    <data id="User_Publishing_Refresh_Options" value="0"/>
+    <data id="User_Refresh_OnLogon_Options" value="0"/>
+    <data id="User_Refresh_Interval_Prompt" value="15"/>
+    <data id="User_Refresh_Unit_Options" value="1"/>
+    ```    
+
+    7.  Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.  
+
+        Here is the example for **AppVirtualization/PublishingAllowServer2**:
+        
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+    
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+       <SyncML xmlns="SYNCML:SYNCML1.2">
+         <SyncBody>
+           <Replace>
+             <CmdID>2</CmdID>
+             <Item>
+               <Meta>
+                 <Format>chr</Format>
+                 <Type>text/plain</Type>
+               </Meta>
+               <Target>
+                <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+               </Target>
+               <![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data 
+                 id="Publishing_Server_URL_Prompt" value="URL prompt"/><data 
+                 id="Global_Publishing_Refresh_Options" value="1"/><data 
+                 id="Global_Refresh_OnLogon_Options" value="0"/><data 
+                 id="Global_Refresh_Interval_Prompt" value="15"/><data 
+                 id="Global_Refresh_Unit_Options" value="0"/><data 
+                 id="User_Publishing_Refresh_Options" value="0"/><data 
+                 id="User_Refresh_OnLogon_Options" value="0"/><data 
+                 id="User_Refresh_Interval_Prompt" value="15"/><data 
+                 id="User_Refresh_Unit_Options" value="1"/>]]>
+             </Item>
+           </Replace>
+           <Final/>
+         </SyncBody>
+       </SyncML>
+    ```
+
+
+## Disable a policy
+
+The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+        <Data>&lt;disabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+## Setting a policy to not configured
+
+The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Delete>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+      </Item>
+    </Delete>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```

windows/client-management/mdm/mobile-device-enrollment.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/11/2017
 ---
 
 # Mobile device enrollment
@@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au
 > -   Any fixed URIs that are passed during enrollment
 > -   Specific formatting of any value unless otherwise noted, such as the format of the device ID.
 
+
+## Enrollment support for domain-joined devices
  
+Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
 
-## Prevent MDM enrollments
+## Disable MDM enrollments
 
 
-Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy:
+Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
+
+![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
+
+Here is the corresponding registry key:
 
 Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
 
 Value: DisableRegistration
 
-Using the GP editor, the path is Computer configuration > Administrative Templates > Windows Components > MDM > Disable MDM Enrollment.
-
 ## Enrollment scenarios not supported
 
-
 The following scenarios do not allow MDM enrollments:
 
 -   Built-in administrator accounts on Windows desktop cannot enroll into MDM.
--   Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**.
+-   Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
 -   Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
 
 ## Enrollment migration

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,11 +10,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/10/2017
+ms.date: 08/11/2017
 ---
 
 # What's new in MDM enrollment and management
 
+
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
@@ -1327,6 +1328,17 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </thead>
 <tbody>
 <tr class="odd">
+<td style="vertical-align:top">[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)</td>
+<td style="vertical-align:top"><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
+<td style="vertical-align:top"><p>Added the following statement:</p>
+<ul>
+<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
+</ul>
+</td></tr>
+<tr class="odd">
 <td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
 <td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
 </td></tr>

windows/client-management/mdm/policy-csp-appvirtualization.md

@@ -702,7 +702,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 2 Settings*
+-   GP English name: *Publishing Server 2 Settings*
 -   GP name: *Publishing_Server2_Policy*
 -   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*

windows/client-management/mdm/understanding-admx-backed-policies.md

@@ -97,7 +97,7 @@ Appv.admx file:
 
 ## <a href="" id="admx-backed-policy-examples"></a>ADMX-backed policy examples
 
-The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
 
 ### <a href="" id="enabling-a-policy"></a>Enabling a policy

windows/device-security/change-history-for-device-security.md

@@ -14,14 +14,14 @@ This topic lists new and updated topics in the [Device security](index.md) docum
 ## August 2017
 |New or changed topic |Description |
 |---------------------|------------|
- | [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
-
+| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
 
 
 ## July 2017
 |New or changed topic |Description |
 |---------------------|------------|
- | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
 
 
 ## May 2017

windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md

@@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-This policy setting prevents users from adding new Microsoft accounts on a device.
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
 
-If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store.
+There are two options if this setting is enabled:
 
-If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
 
 If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
 
@@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st
 ### Best practices
 
 -   By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
--   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
+-   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts.
 
 ### Location
 

windows/threat-protection/TOC.md

@@ -147,6 +147,13 @@
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
 
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
 #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)

windows/threat-protection/index.md

@@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
 |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
 |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
 |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
 |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
 |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|

windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

@@ -0,0 +1,44 @@
+---
+title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Configure Windows Defender Application Guard policy settings
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+
+Application Guard uses both network isolation and application-specific settings.
+
+### Network isolation settings
+These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+
+>[!NOTE]
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+
+### Application-specific settings
+These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
+
+|Name|Supported versions|Description|Options|
+|-----------|------------------|-----------|-------|
+|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
+|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+

windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -0,0 +1,42 @@
+---
+title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
+description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Frequently asked questions - Windows Defender Application Guard 
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+
+## Frequently Asked Questions
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
+|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
+|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
+|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
+|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|

windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md

@@ -0,0 +1,54 @@
+---
+title: Prepare and install Windows Defender Application Guard (Windows 10)
+description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Prepare and install Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+## Prepare to install Windows Defender Application Guard 
+Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
+
+- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. <!--Need link after topic is created-->
+
+- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
+
+The following diagram shows the flow between the host PC and the isolated container.
+![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
+
+## Install Application Guard
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+**To install by using the Control Panel**
+1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
+
+    ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png)
+
+2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
+
+   Application Guard and its underlying dependencies are all installed.
+
+**To install by using PowerShell**
+1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+   
+2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+   Windows PowerShell opens with administrator credentials.
+
+3. Type the following command:
+
+    ```
+    Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
+    ```
+4. Restart the device.
+
+   Application Guard and its underlying dependencies are all installed.
+

windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -0,0 +1,35 @@
+---
+title: System requirements for Windows Defender Application Guard (Windows 10)
+description: Learn about the system requirements for installing and running Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# System requirements for Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+
+## Hardware requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Hardware|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
+|Hardware memory|4 GB minimum, 8 GB recommended|
+
+## Software requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Software|Description|
+|--------|-----------|
+|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
+|Browser|Microsoft Edge and Internet Explorer|
+|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -0,0 +1,157 @@
+---
+title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
+description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Testing scenarios using Windows Defender Application Guard in your business or organization
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
+
+## Application Guard in standalone mode
+You can see how an employee would use standalone mode with Application Guard.
+
+**To test Application Guard in Standalone mode**
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+
+    ![New Application Guard window setting option](images/appguard-new-window.png)
+ 
+4.	Wait for Application Guard to set up the isolated environment.
+
+    >[!NOTE]
+    >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. 
+ 
+5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+## Application Guard in Enterprise-managed mode 
+How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
+
+### Install, set up, and turn on Application Guard
+Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device and then start Microsoft Edge.
+
+4.	Set up the Network Isolation settings in Group Policy:
+
+    a.	Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
+    
+    b.	Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
+
+    c.	For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+
+    ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
+
+    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
+
+    e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+
+    ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
+
+5.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
+
+6.	Click **Enabled**.
+
+    ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
+
+    >[!NOTE]
+    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
+
+7. Start Microsoft Edge and type _www.microsoft.com_.
+    
+    After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+
+    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
+
+8.	In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+ 
+    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+### Customize Application Guard
+Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
+
+Application Guard provides the following default behavior for your employees:
+
+- No copying and pasting between the host PC and the isolated container.
+
+- No printing from the isolated container.
+
+- No data persistence from one isolated container to another isolated container.
+
+You have the option to change each of these settings to work with your enterprise from within Group Policy.
+
+**To change the copy and paste options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled**.
+ 
+    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
+
+3.	Choose how the clipboard works:
+    
+    - Copy and paste from the isolated session to the host PC
+    
+    - Copy and paste from the host PC to the isolated session
+    
+    - Copy and paste both directions
+
+4.	Choose what can be copied:
+    
+    - **1.** Only text can be copied between the host PC and the isolated container.
+
+    - **2.** Only images can be copied between the host PC and the isolated container.
+
+    - **3.** Both text and images can be copied between the host PC and the isolated container.
+
+5.	Click **OK**.
+
+**To change the print options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Print options](images/appguard-gp-print.png)
+
+3.	Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
+
+4. Click **OK**.
+
+**To change the data persistence options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
+ 
+3.	Open Microsoft Edge and browse to an untrusted, but safe URL.
+
+    The website opens in the isolated session. 
+
+4.	Add the site to your **Favorites** list and then close the isolated session.
+
+5.  Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+    The previously added site should still appear in your **Favorites** list.
+
+    >[!NOTE]
+    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>

windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -0,0 +1,45 @@
+---
+title: Windows Defender Application Guard (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Windows Defender Application Guard overview
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
+ 
+Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
+
+
+## What is Application Guard and how does it work?
+Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
+
+If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+
+![Hardware isolation diagram](images/appguard-hardware-isolation.png)
+
+### What types of devices should use Application Guard?
+Application Guard has been created to target 3 types of enterprise systems:
+
+- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+
+- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+
+- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
+|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
+|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
+|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
+|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|

windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with
 ### Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|