Merged PR 2650: 8/9 PM Publish

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
 
 A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
 
-After you've created your device account, there are a couple of ways to verify that it's setup correctly.
+After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
-- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
+
-- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
  
 
 ## Prepare for first-run program 

windows/access-protection/credential-guard/credential-guard-known-issues.md

@@ -33,25 +33,13 @@ The following known issues have been fixed by servicing releases made available
     - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
     - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
 
+## Known issues involving third-party applications
 
+The following issue affects the Java GSS API. See the following Oracle bug database article: 
 
+-	[JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
 
-
+When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
 
 
 The following issue affects Cisco AnyConnect Secure Mobility Client:

windows/client-management/mdm/enterprisedataprotection-csp.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/09/2017
 ---
 
 # EnterpriseDataProtection CSP
@@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
 
 -   0 (default) – Off / No protection (decrypts previously protected data).
 -   1 – Silent mode (encrypt and audit only).
--   2 – Override mode (encrypt, prompt, and audit).
+-   2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
--   3 – Block mode (encrypt, block, and audit).
+-   3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
 
 <p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -1322,6 +1322,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
 <td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
 </td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
+<ul>
+<li> 0 (default) – Off / No protection (decrypts previously protected data).</li>
+<li>  1 – Silent mode (encrypt and audit only).</li>
+<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
+<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
+</ul>
+</td></tr>
 <tr class="even">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>

windows/configuration/start-layout-xml-desktop.md

@@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
 
   To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
 
-  The following example shows how to pin the Internet Explorer Windows desktop application:
+  The following example shows how to pin the File Explorer Windows desktop application:
 
   ```XML
     <start:DesktopApplicationTile

windows/configuration/windows-spotlight.md

@@ -67,10 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
 
  In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**.
 
->[!WARNING]
-> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
->
-> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 

windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -80,7 +80,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-Primary Domain Controller | .Microsoft.com DNS record
+Service location | .Microsoft.com DNS record
 :---|:---
  US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
 Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>