From 2a15c969728d8b5598d69f2e722edd52ca44b745 Mon Sep 17 00:00:00 2001
From: John Tobin <v-jotob@microsoft.com>
Date: Wed, 16 Aug 2017 11:44:53 -0700
Subject: [PATCH 1/3] Edit TPM topic for formatting and text.

---
 ...orm-module-services-group-policy-settings.md | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 8203714148..4ab3894c38 100644
--- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,6 +1,6 @@
 ---
 title: TPM Group Policy settings (Windows 10)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,20 +15,25 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
-The TPM Services Group Policy settings are located at:
+The Group Policy settings for TPM services are located at:
 
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 
-### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
 
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. 
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+
+> [!IMPORTANT]
+> Setting this policy will take effect only if:  
+-   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+-   The system has a TPM 2.0. 
 
 Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: 
 a) disable it from group policy and b) clear the TPM on the system.
 
-**The following Group Policy settings were introduced in Window 10:**
+The following Group Policy settings were introduced in Window 10:
 
 ### Configure the list of blocked TPM commands
 

From 5b6cf8c46af456840eeb295c52de7343886c6d60 Mon Sep 17 00:00:00 2001
From: Maricia Alforque <maricia@microsoft.com>
Date: Wed, 16 Aug 2017 18:48:18 +0000
Subject: [PATCH 2/3] Merged PR 2740: ExploitGuard policy - new in Policy CSP

---
 windows/client-management/mdm/TOC.md          |  1 +
 ...ew-in-windows-mdm-enrollment-management.md |  2 +
 .../policy-configuration-service-provider.md  |  8 +++
 .../mdm/policy-csp-exploitguard.md            | 58 +++++++++++++++++++
 4 files changed, 69 insertions(+)
 create mode 100644 windows/client-management/mdm/policy-csp-exploitguard.md

diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 406f309f85..2d6046fef1 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -200,6 +200,7 @@
 #### [ErrorReporting](policy-csp-errorreporting.md)
 #### [EventLogService](policy-csp-eventlogservice.md)
 #### [Experience](policy-csp-experience.md)
+#### [ExploitGuard](policy-csp-exploitguard.md)
 #### [Games](policy-csp-games.md)
 #### [InternetExplorer](policy-csp-internetexplorer.md)
 #### [Kerberos](policy-csp-kerberos.md)
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index b84fdaa3fa..c2218a1fab 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -982,6 +982,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
+<li>ExploitGuard/ExploitProtectionSettings</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
@@ -1372,6 +1373,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
 <ul>
+<li>ExploitGuard/ExploitProtectionSettings</li>
 <li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
 <li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index e8a815b1ca..017e7eb94f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1002,6 +1002,14 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ExploitGuard policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings" id="exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
+  </dd>
+</dl>
+
 ### Games policies
 
 <dl>
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
new file mode 100644
index 0000000000..cf06c60c3e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -0,0 +1,58 @@
+---
+title: Policy CSP - ExploitGuard
+description: Policy CSP - ExploitGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Policy CSP - ExploitGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicy-->
+<a href="" id="exploitguard-exploitprotectionsettings"></a>**ExploitGuard/ExploitProtectionSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML.
+
+<p style="margin-left: 20px">The system settings require a reboot; the application settings do not require a reboot.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
\ No newline at end of file

From 18fea0d3b8495628e89c7c6247a264cc3b037c4f Mon Sep 17 00:00:00 2001
From: John Tobin <v-jotob@microsoft.com>
Date: Wed, 16 Aug 2017 14:29:40 -0700
Subject: [PATCH 3/3] Topic re-org. Change H3 headings to H2

---
 ...m-module-services-group-policy-settings.md | 41 ++++++++++---------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 4ab3894c38..a666d3e71e 100644
--- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -21,21 +21,9 @@ The Group Policy settings for TPM services are located at:
 
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 
-## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
-
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
-
-> [!IMPORTANT]
-> Setting this policy will take effect only if:  
--   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
--   The system has a TPM 2.0. 
-
-Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: 
-a) disable it from group policy and b) clear the TPM on the system.
-
 The following Group Policy settings were introduced in Window 10:
 
-### Configure the list of blocked TPM commands
+## Configure the list of blocked TPM commands
 
 This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
 
@@ -53,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked
 
 -   [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands)
 
-### Ignore the default list of blocked TPM commands
+## Ignore the default list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
 
@@ -63,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
 
-### Ignore the local list of blocked TPM commands
+## Ignore the local list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
 
@@ -73,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
 
-### Configure the level of TPM owner authorization information available to the operating system
+## Configure the level of TPM owner authorization information available to the operating system
 
 This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
 
@@ -111,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T
 If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
 configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
 
-### Standard User Lockout Duration
+## Standard User Lockout Duration
 
 This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
 authorization to the TPM.
@@ -130,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
 
-### Standard User Individual Lockout Threshold
+## Standard User Individual Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -142,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
 
-### Standard User Total Lockout Threshold
+## Standard User Total Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -161,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a
 
 If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
 
+## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+
+> [!IMPORTANT]
+> Setting this policy will take effect only if:  
+-   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+-   The system has a TPM 2.0. 
+
+> [!NOTE]
+> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
+> -  Disable it from group policy
+> -  Clear the TPM on the system
+
+
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)