diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index decbbc3864..288fc7b572 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -742,12 +742,12 @@
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
- "redirect_url": "/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agress.md",
- "redirect_url": "/windows/security/threat-protectionsecurity-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
"redirect_document_id": false
},
{
@@ -3447,7 +3447,7 @@
},
{
"source_path": "windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
- "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
"redirect_document_id": false
},
{
@@ -3472,7 +3472,7 @@
},
{
"source_path": "windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md",
- "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
"redirect_document_id": false
},
{
@@ -12392,12 +12392,12 @@
},
{
"source_path": "windows/keep-secure/microsoft-network-client-digitally-sign-communications-always.md",
- "redirect_url": "/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
- "redirect_url": "/windows/device-security/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
"redirect_document_id": false
},
{
@@ -12417,12 +12417,12 @@
},
{
"source_path": "windows/keep-secure/microsoft-network-server-digitally-sign-communications-always.md",
- "redirect_url": "/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/microsoft-network-server-digitally-sign-communications-if-client-agrees.md",
- "redirect_url": "/windows/device-security/security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
"redirect_document_id": false
},
{
@@ -20294,6 +20294,46 @@
"source_path": "windows/security/identity-protection/hello-for-business/reset-security-key.md",
"redirect_url": "/azure/active-directory/authentication/howto-authentication-passwordless-security-key",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md",
+ "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
+ "redirect_url": "/windows/resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
+ "redirect_url": "/windows/resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/configuration/manage-wifi-sense-in-enterprise.md",
+ "redirect_url": "/windows/resources",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md",
+ "redirect_url": "/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always",
+ "redirect_document_id": false
}
]
-}
+}
\ No newline at end of file
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
new file mode 100644
index 0000000000..f3861da706
--- /dev/null
+++ b/education/includes/education-content-updates.md
@@ -0,0 +1,26 @@
+
+
+
+
+## Week of January 09, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 1/12/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | added |
+
+
+## Week of December 19, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
+
+
+## Week of December 12, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 41a3aec43a..8a63a27c99 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -81,7 +81,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------|
-| `3d builder` | `18.0.1931.0` | Win32 | `Microsoft` |
+| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
@@ -97,6 +97,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
+| `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
@@ -107,6 +108,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
+| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
@@ -133,11 +135,12 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
-| `Safe Exam Browser` | 3.3.2.413 | Win32 | `Safe Exam Browser` |
+| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
+|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development`
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |
diff --git a/images/grouppolicy-paste.png b/images/grouppolicy-paste.png
deleted file mode 100644
index ba2de148f1..0000000000
Binary files a/images/grouppolicy-paste.png and /dev/null differ
diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md
index 899c2dc399..80c06690e1 100644
--- a/windows/client-management/change-history-for-mdm-documentation.md
+++ b/windows/client-management/change-history-for-mdm-documentation.md
@@ -3,7 +3,7 @@ title: Change history for MDM documentation
description: This article lists new and updated articles for Mobile Device Management.
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.topic: article
ms.prod: windows-client
@@ -46,7 +46,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|New or updated article | Description|
|--- | ---|
-|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings: - System/AllowDesktopAnalyticsProcessing - System/AllowMicrosoftManagedDesktopProcessing - System/AllowUpdateComplianceProcessing - System/AllowWUfBCloudProcessing
Updated the following policy setting: - System/AllowCommercialDataPipeline |
+|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings: - System/AllowDesktopAnalyticsProcessing - System/AllowMicrosoftManagedDesktopProcessing - System/AllowUpdateComplianceProcessing - System/AllowWUfBCloudProcessing
Updated the following policy setting: - System/AllowCommercialDataPipeline |
## June 2020
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index eba080fea2..f5d5c1dc39 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -285,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow
> [!NOTE]
> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later.
-
### Connect to MDM using a deep link
> [!NOTE]
-> Deep links only work with Internet Explorer or Microsoft Edge browsers. When connecting to MDM using a deep link, the URI you should use is:
-> **ms-device-enrollment:?mode=mdm**
-> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<`https://example.server.com`>**
+> Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link:
+>
+> - **ms-device-enrollment:?mode=mdm**
+> - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`**
To connect your devices to MDM using deep links:
@@ -303,6 +303,9 @@ To connect your devices to MDM using deep links:
+ > [!NOTE]
+ > Ensure that your email filters do not block deep links.
+
- IT admins can also add this link to an internal web page that users refer to enrollment instructions.
2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
index 5b7486628f..dccc4df62a 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -48,8 +48,8 @@ ms.date: 09/17/2019
- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#allowlocation)
+- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
index eebc6a88cf..78c0ec3a24 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -46,8 +46,8 @@ ms.date: 07/18/2019
- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#allowlocation)
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 62ead15ae0..082b79a3aa 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens 2
description: Learn about the policies in Policy CSP supported by HoloLens 2.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -104,10 +104,10 @@ ms.date: 08/01/2022
- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) 12
- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) 12
- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) 12
-- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline)
+- [System/AllowLocation](policy-csp-system.md#allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9
- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9
- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index bcc22cc6cb..a1cd81ffcb 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -64,9 +64,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership)
-- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
-- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
-- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
index 601ad0b197..ee156ca4b2 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -30,8 +30,8 @@ ms.date: 07/18/2019
- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
-- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
-- [System/TelemetryProxy](policy-csp-system.md#system-telemetryproxy)
+- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
+- [System/TelemetryProxy](policy-csp-system.md#telemetryproxy)
- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index 657cdef18f..d658533761 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -1,92 +1,95 @@
---
-title: Policy CSP - ADMX_DataCollection
-description: Learn about the Policy CSP - ADMX_DataCollection.
+title: ADMX_DataCollection Policy CSP
+description: Learn more about the ADMX_DataCollection Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/09/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/01/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_DataCollection
-
-
-
-## ADMX_DataCollection policies
-
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
+
+## CommercialIdPolicy
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-**ADMX_DataCollection/CommercialIdPolicy**
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_DataCollection/CommercialIdPolicy
+```
+
-
+
+
+This policy setting defines the identifier used to uniquely associate this device's diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+- If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization.
+
-
-
+
+
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Description framework properties**:
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
-This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization.
+**ADMX mapping**:
-If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
+| Name | Value |
+|:--|:--|
+| Name | CommercialIdPolicy |
+| Friendly Name | Configure the Commercial ID |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its telemetry data with your organization.
+
+
+
-
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Configure the Commercial ID*
-- GP name: *CommercialIdPolicy*
-- GP path: *Windows Components\Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
-
-
-
+## Related articles
-> [!NOTE]
-> These policies are for upcoming release.
-
-
-
-## Related topics
-
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index e26bcb675c..3475130df0 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1,1615 +1,2159 @@
---
-title: Policy CSP - System
-description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update.
+title: System Policy CSP
+description: Learn more about the System Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 08/26/2021
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - System
-
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-## System policies
+
+
+
-
+
+## AllowBuildPreview
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowBuildPreview
+```
+
-
-**System/AllowBuildPreview**
+
+
+This policy setting determines whether users can get preview builds of Windows, by configuring controls in Settings > Update and security > Windows Insider Program.
-
-The table below shows the applicability of Windows:
+- If you enable or do not configure this policy setting, users can download and install preview builds of Windows by configuring Windows Insider Program settings.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+- If you disable this policy setting, Windows Insider Program settings will be unavailable to users through the Settings app.
-
-
+This policy is only supported up to Windows 10, Version 1703. Please use 'Manage preview builds' under 'Windows Update for Business' for newer Windows 10 versions.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 2 |
+
-
-
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. |
+| 1 | Allowed. Users can make their devices available for downloading and installing preview software. |
+| 2 (Default) | Not configured. Users can make their devices available for downloading and installing preview software. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowBuildPreview |
+| Friendly Name | Toggle user control over Insider builds |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\PreviewBuilds |
+| Registry Value Name | AllowBuildPreview |
+| ADMX File Name | AllowBuildPreview.admx |
+
+
+
+
+
+
+
+
+
+## AllowCommercialDataPipeline
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
+```
+
+
+
+
+AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at .
+To enable this behavior:
+
+1. Enable this policy setting
+2. Join an Azure Active Directory account to the device
+
+Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting does not change the Windows diagnostic data collection level set for the device
+- If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing".
+See the documentation at for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
+
+
+
+
> [!NOTE]
-> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.
-This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
-If you enable or don't configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+
+**Description framework properties**:
-
-
-ADMX Info:
-- GP Friendly name: *Toggle user control over Insider builds*
-- GP name: *AllowBuildPreview*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *AllowBuildPreview.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-The following list shows the supported values:
+
+**Allowed values**:
-- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
-- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
-- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowCommercialDataPipeline |
+| Friendly Name | Allow commercial data pipeline |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-**System/AllowCommercialDataPipeline**
+
+
+
-
-The table below shows the applicability of Windows:
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## AllowDesktopAnalyticsProcessing
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowDesktopAnalyticsProcessing
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at .
+To enable this behavior:
-
+1. Enable this policy setting
+2. Join an Azure Active Directory account to the device
-
-
-This policy setting configures an Azure Active Directory-joined device, so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
-
-To enable this behavior, you must complete two steps:
-
- 1. Enable this policy setting.
- 2. Join an Azure Active Directory account to the device.
-
-Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above.
-
-If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing.
-
-Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.
-
-See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.
-
-
-
-ADMX Info:
-- GP Friendly name: *Allow commercial data pipeline*
-- GP name: *AllowCommercialDataPipeline*
-- GP element: *AllowCommercialDataPipeline*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - Disabled.
-- 1 - Enabled.
-
-
-
-
-
-
-
-
-
-
-
-
-
-**System/AllowDesktopAnalyticsProcessing**
-
-
-
-
-This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
-
-To enable this behavior, you must complete three steps:
-
- 1. Enable this policy setting.
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
- 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
-
-This setting has no effect on devices, unless they're properly enrolled in Desktop Analytics.
+3. Set Allow Telemetry to value 1 - Required, or higher
+4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+This setting has no effect on devices unless they are properly enrolled in Desktop Analytics.
+- If you disable this policy setting, devices will not appear in Desktop Analytics.
+
-If you disable or don't configure this policy setting, devices won't appear in Desktop Analytics.
+
+
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 (default) – Disabled.
-- 2 – Allowed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 2 | Allowed. |
+
-
+
+**Group policy mapping**:
-
-**System/AllowDeviceNameInDiagnosticData**
+| Name | Value |
+|:--|:--|
+| Name | AllowDesktopAnalyticsProcessing |
+| Friendly Name | Allow Desktop Analytics Processing |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## AllowDeviceNameInDiagnosticData
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData
+```
+
-
+
+
+This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.
-
-
-This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data.
+- If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data.
+
-
-
-ADMX Info:
-- GP Friendly name: *Allow device name to be sent in Windows diagnostic data*
-- GP name: *AllowDeviceNameInDiagnosticData*
-- GP element: *AllowDeviceNameInDiagnosticData*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 (default) – Disabled.
-- 1 – Allowed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Allowed. |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowDeviceNameInDiagnosticData |
+| Friendly Name | Allow device name to be sent in Windows diagnostic data |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-**System/AllowEmbeddedMode**
+
+
+
-
-The table below shows the applicability of Windows:
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## AllowEmbeddedMode
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowEmbeddedMode
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+Specifies whether set general purpose device to be in embedded mode. Most restricted value is 0.
+
-
+
+
+
-
-
-Specifies whether set general purpose device to be in embedded mode.
+
+**Description framework properties**:
-Most restricted value is 0.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-The following list shows the supported values:
+
+**Allowed values**:
-- 0 (default) – Not allowed.
-- 1 – Allowed.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. |
+| 1 | Allowed. |
+
-
-
+
+
+
-
+
-
-**System/AllowExperimentation**
+
+## AllowExperimentation
-
-The table below shows the applicability of Windows:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowExperimentation
+```
+
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
> [!NOTE]
-> This policy isn't supported in Windows 10, version 1607.
+> This policy is not supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. Most restricted value is 0.
+
-This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
+
+
+
-Most restricted value is 0.
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-- 0 – Disabled.
-- 1 (default) – Permits Microsoft to configure device settings only.
-- 2 – Allows Microsoft to conduct full experimentation.
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Permits Microsoft to configure device settings only. |
+| 2 | Allows Microsoft to conduct full experimentation. |
+
-
+
+
+
-
-**System/AllowFontProviders**
+
-
-The table below shows the applicability of Windows:
+
+## AllowFontProviders
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowFontProviders
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider.
-> [!div class = "checklist"]
-> * Device
+- If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
-
+- If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
-
-Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts.
+- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+
+
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value isn't set by default, so the default behavior is true (enabled).
This setting is used by lower-level components for text display and fond handling and hasn't direct effect on web browsers, which may download web fonts used in web content.
> [!NOTE]
> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
+
-
-
-ADMX Info:
-- GP Friendly name: *Enable Font Providers*
-- GP name: *EnableFontProviders*
-- GP path: *Network/Fonts*
-- GP ADMX file name: *GroupPolicy.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-- 0 - false - No traffic to fs.microsoft.com, and only locally installed fonts are available.
-- 1 - true (default) - There may be network traffic to fs.microsoft.com, and downloadable fonts are available to apps that support them.
+
+**Allowed values**:
-
-
-To verify if System/AllowFontProviders is set to true:
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. No traffic to fs.microsoft.com and only locally installed fonts are available. |
+| 1 (Default) | Allowed. There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. |
+
-- After a client machine is rebooted, check whether there's any network traffic from client machine to fs.microsoft.com.
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | EnableFontProviders |
+| Friendly Name | Enable Font Providers |
+| Location | Computer Configuration |
+| Path | Network > Fonts |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | EnableFontProviders |
+| ADMX File Name | GroupPolicy.admx |
+
-
+
+
+
-
-**System/AllowLocation**
+
-
-The table below shows the applicability of Windows:
+
+## AllowLocation
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowLocation
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Specifies whether to allow app access to the Location service. Most restricted value is 0. While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. For example, an app's original Location setting is Off. The administrator then sets the AllowLocation policy to 2 (Force Location On. ) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the AllowLocation policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
+**Description framework properties**:
-
-
-Specifies whether to allow app access to the Location service.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-Most restricted value is 0.
+
+**Allowed values**:
-While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
+| Value | Description |
+|:--|:--|
+| 0 | Force Location Off. All Location Privacy settings are toggled off and grayed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. |
+| 1 (Default) | Location service is allowed. The user has control and can change Location Privacy settings on or off. |
+| 2 | Force Location On. All Location Privacy settings are toggled on and grayed out. Users cannot change the settings and all consent permissions will be automatically suppressed. |
+
-When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
+
+**Group policy mapping**:
-For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+| Name | Value |
+|:--|:--|
+| Name | DisableLocation_2 |
+| Friendly Name | Turn off location |
+| Location | Computer Configuration |
+| Path | Windows Components > Location and Sensors |
+| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors |
+| Registry Value Name | DisableLocation |
+| ADMX File Name | Sensors.admx |
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn off location*
-- GP name: *DisableLocation_2*
-- GP path: *Windows Components/Location and Sensors*
-- GP ADMX file name: *Sensors.admx*
+
+
+
-
-
-The following list shows the supported values:
+
-- 0 – Force Location Off. All Location Privacy settings are toggled off and grayed out. Users can't change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
-- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
-- 2 – Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed.
+
+## AllowMicrosoftManagedDesktopProcessing
-
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-**System/AllowMicrosoftManagedDesktopProcessing**
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowMicrosoftManagedDesktopProcessing
+```
+
-
-
+
+
+This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
+This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at .
+For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See for more information.
+hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop.
+- If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
+
-This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data.
+
+
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
-For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data).
+
+**Description framework properties**:
-This setting has no effect on devices, unless they're properly enrolled in Microsoft Managed Desktop.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 32 | Allowed. |
+
+
+
+
+
+
+
+
+
+## AllowStorageCard
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard
+```
+
+
+
+
+Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. Most restricted value is 0.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. |
+| 1 (Default) | Allow a storage card. |
+
+
+
+
+
+
+
+
+
+## AllowTelemetry
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :heavy_check_mark: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/System/AllowTelemetry
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry
+```
+
+
+
+
+By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and does not apply to any additional apps installed by your organization.
+
+- Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions.
+- Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the "Optional diagnostic data" control in the Settings app.
+- Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent.
+
+- If you disable or do not configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app.
+
+**Note**:
+The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. |
+| 1 (Default) | Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. |
+| 3 | Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowTelemetry |
+| Friendly Name | Allow Diagnostic Data |
+| Location | Computer and User Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## AllowUpdateComplianceProcessing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing
+```
+
+
+
+
+This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at .
+To enable this behavior:
+
+1. Enable this policy setting
+2. Join an Azure Active Directory account to the device
+
+3. Set Allow Telemetry to value 1 - Required, or higher
+4. Set the Configure the Commercial ID setting for your Update Compliance workspace
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+- If you disable or do not configure this policy setting, devices will not appear in Update Compliance.
+
-If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
+
+
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
->[!IMPORTANT]
-> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices.
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-**System/AllowStorageCard**
+
+**Allowed values**:
-
-The table below shows the applicability of Windows:
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 16 | Enabled. |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | AllowUpdateComplianceProcessing |
+| Friendly Name | Allow Update Compliance Processing |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
-
+
+## AllowUserToResetPhone
-
-
-Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-Most restricted value is 0.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowUserToResetPhone
+```
+
-
-
-The following list shows the supported values:
+
+
+Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination. Most restricted value is 0. Tip, This policy is also applicable to Windows 10 and not exclusive to phone.
+
-- 0 – SD card use isn't allowed, and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
-- 1 (default) – Allow a storage card.
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-**System/AllowTelemetry**
+
+**Allowed values**:
-
-The table below shows the applicability of Windows:
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed to reset to factory default settings. |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## AllowWUfBCloudProcessing
-> [!div class = "checklist"]
-> * User
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing
+```
+
-
-
-Allows the device to send diagnostic and usage telemetry data, such as Watson.
+
+
+This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at .
+To enable this behavior:
-For more information about diagnostic data, including what is and what isn't collected by Windows, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
+1. Enable this policy setting
+2. Join an Azure Active Directory account to the device
-The following list shows the supported values for Windows 8.1:
-- 0 - Not allowed.
-- 1 – Allowed, except for Secondary Data Requests.
-- 2 (default) – Allowed.
-
-In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft.
-
-The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets):
-
-- 0 – **Off (Security)** This value turns Windows diagnostic data off.
-
- > [!NOTE]
- > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1.
-
-- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date.
-
-- 2 – (**Enhanced**) Sends the same data as a value of 1, plus extra insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps.
-
- > [!NOTE]
- > **Enhanced** is no longer an option for Windows Holographic, version 21H1.
-
-- 3 – **Optional (Full)** Sends the same data as a value of 2, plus extra data necessary to identify and fix problems with devices such as enhanced error logs.
-
-Most restrictive value is 0.
-
-
-
-ADMX Info:
-- GP Friendly name: *Allow Telemetry*
-- GP name: *AllowTelemetry*
-- GP element: *AllowTelemetry*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-
-
-
-
-**System/AllowUpdateComplianceProcessing**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
-
-To enable this behavior, you must complete three steps:
-
- 1. Enable this policy setting.
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
- 3. If you're using Update Compliance rather than Windows Update for Business reports, set the Configure the Commercial ID setting for your Update Compliance workspace.
+3. Set Allow Telemetry to value 1 - Required, or higher
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
+- If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features.
+
-If you disable or don't configure this policy setting, devices won't appear in Windows Update for Business reports or Update Compliance.
+
+
+> [!IMPORTANT]
+> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
-
-
-ADMX Info:
-- GP Friendly name: *Allow Update Compliance Processing*
-- GP name: *AllowUpdateComplianceProcessing*
-- GP element: *AllowUpdateComplianceProcessing*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-- 0 - Disabled.
-- 16 - Enabled.
-
-
+
+**Allowed values**:
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 8 | Enabled. |
+
-
+
+**Group policy mapping**:
-
-**System/AllowUserToResetPhone**
+| Name | Value |
+|:--|:--|
+| Name | AllowWUfBCloudProcessing |
+| Friendly Name | Allow WUfB Cloud Processing |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## BootStartDriverInitialization
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization
+```
+
-
-
-
-
-Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination.
-
-Most restricted value is 0.
-
-> [!TIP]
-> This policy is also applicable to Windows 10 and not exclusive to phone.
-
-
-The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed to reset to factory default settings.
-
-
-
-
-
-
-**System/AllowWUfBCloudProcessing**
-
-
-
-
-
-
-This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
-
-To enable this behavior, you must complete three steps:
-
- 1. Enable this policy setting.
- 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above.
- 3. Join an Azure Active Directory account to the device.
-
-When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
-
-If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.
-
-
-
-
-
-The following list shows the supported values:
-
-- 0 - Disabled.
-- 8 - Enabled.
-
-
-
-
-**System/BootStartDriverInitialization**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
-- Good: The driver has been signed and hasn't been tampered with.
-- Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized.
-- Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver.
-- Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver.
+- Good: The driver has been signed and has not been tampered with.
+- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
+- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
+- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
-If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize next time the computer is started.
+- If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.
-If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown, or Bad, but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
+- If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
-If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
+If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
+
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-ADMX Info:
-- GP Friendly name: *Boot-Start Driver Initialization Policy*
-- GP name: *POL_DriverLoadPolicy_Name*
-- GP path: *System/Early Launch Antimalware*
-- GP ADMX file name: *earlylauncham.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | POL_DriverLoadPolicy_Name |
+| Friendly Name | Boot-Start Driver Initialization Policy |
+| Location | Computer Configuration |
+| Path | System > Early Launch Antimalware |
+| Registry Key Name | System\CurrentControlSet\Policies\EarlyLaunch |
+| Registry Value Name | DriverLoadPolicy |
+| ADMX File Name | EarlyLaunchAM.admx |
+
-
+
+
+
-
-**System/ConfigureMicrosoft365UploadEndpoint**
+
-
-The table below shows the applicability of Windows:
+
+## ConfigureMicrosoft365UploadEndpoint
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/ConfigureMicrosoft365UploadEndpoint
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program.
+
+
+This policy sets the upload endpoint for this device's diagnostic data as part of the Desktop Analytics program.
If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint.
-
The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
+
-Supported value type is string.
-
-
-ADMX Info:
-- GP Friendly name: *Configure Microsoft 365 Update Readiness upload endpoint*
-- GP name: *ConfigureMicrosoft365UploadEndpoint*
-- GP element: *ConfigureMicrosoft365UploadEndpoint*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | ConfigureMicrosoft365UploadEndpoint |
+| Friendly Name | Configure diagnostic data upload endpoint for Desktop Analytics |
+| Element Name | Desktop Analytics Custom Upload Endpoint |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
+
+
+
-
-**System/ConfigureTelemetryOptInChangeNotification**
+
-
-The table below shows the applicability of Windows:
+
+## ConfigureTelemetryOptInChangeNotification
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+This policy setting controls whether notifications are shown, following a change to diagnostic data opt-in settings, on first logon and when the changes occur in settings.
-> [!div class = "checklist"]
-> * Device
+If you set this policy setting to "Disable diagnostic data change notifications", diagnostic data opt-in change notifications will not appear.
-
+If you set this policy setting to "Enable diagnostic data change notifications" or don't configure this policy setting, diagnostic data opt-in change notifications appear at first logon and when the changes occur in Settings.
+
-
-
-This policy setting determines whether a device shows notifications about telemetry levels to people on first sign in or when changes occur in Settings.
+
+
+
-- If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing.
-- If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings.
+
+**Description framework properties**:
-
-
-ADMX Info:
-- GP Friendly name: *Configure telemetry opt-in change notifications.*
-- GP name: *ConfigureTelemetryOptInChangeNotification*
-- GP element: *ConfigureTelemetryOptInChangeNotification*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-The following list shows the supported values:
-- 0 (default) - Enable telemetry change notifications
-- 1 - Disable telemetry change notifications
-
-
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enable telemetry change notifications. |
+| 1 | Disable telemetry change notifications. |
+
-
-**System/ConfigureTelemetryOptInSettingsUx**
+
+**Group policy mapping**:
-
-The table below shows the applicability of Windows:
+| Name | Value |
+|:--|:--|
+| Name | ConfigureTelemetryOptInChangeNotification |
+| Friendly Name | Configure diagnostic data opt-in change notifications |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## ConfigureTelemetryOptInSettingsUx
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx
+```
+
-
-
-This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings.
+
+
+This policy setting determines whether an end user can change diagnostic data settings in the Settings app.
-If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them.
+If you set this policy setting to "Disable diagnostic data opt-in settings", diagnostic data settings are disabled in the Settings app.
-If you set this policy setting to "Enable Telemetry opt-in Settings" or don't configure this policy setting, people can change their own telemetry levels in Settings.
+- If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app.
-> [!Note]
-> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's acceptable level of data disclosure.
+**Note**:
+To set a limit on the amount of diagnostic data that is sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting.
+
-
-
-ADMX Info:
-- GP Friendly name: *Configure telemetry opt-in setting user interface.*
-- GP name: *ConfigureTelemetryOptInSettingsUx*
-- GP element: *ConfigureTelemetryOptInSettingsUx*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
-The following list shows the supported values:
-- 0 (default) - Enable Telemetry opt-in Settings
-- 1 - Disable Telemetry opt-in Settings
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-**System/DisableDeviceDelete**
+
+**Allowed values**:
-
-The table below shows the applicability of Windows:
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enable Telemetry opt-in Settings. |
+| 1 | Disable Telemetry opt-in Settings. |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | ConfigureTelemetryOptInSettingsUx |
+| Friendly Name | Configure diagnostic data opt-in settings user interface |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
-
+
+## DisableDeviceDelete
-
-
-This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableDeviceDelete
+```
+
+
+
+
+This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page.
- If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device.
+
- If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device.
+
-
-
-ADMX Info:
-- GP Friendly name: *Disable deleting diagnostic data*
-- GP name: *DisableDeviceDelete*
-- GP element: *DisableDeviceDelete*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not disabled. |
+| 1 | Disabled. |
+
-
+
+**Group policy mapping**:
-
-**System/DisableDiagnosticDataViewer**
+| Name | Value |
+|:--|:--|
+| Name | DisableDeviceDelete |
+| Friendly Name | Disable deleting diagnostic data |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## DisableDiagnosticDataViewer
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableDiagnosticDataViewer
+```
+
-
+
+
+This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback Settings page.
-
-
-This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page.
+- If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.
-- If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.
- If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page.
+
-
-
-ADMX Info:
-- GP Friendly name: *Disable diagnostic data viewer.*
-- GP name: *DisableDiagnosticDataViewer*
-- GP element: *DisableDiagnosticDataViewer*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not disabled. |
+| 1 | Disabled. |
+
-
+
+**Group policy mapping**:
-
-**System/DisableEnterpriseAuthProxy**
+| Name | Value |
+|:--|:--|
+| Name | DisableDiagnosticDataViewer |
+| Friendly Name | Disable diagnostic data viewer |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
-
-The table below shows the applicability of Windows:
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## DisableDirectXDatabaseUpdate
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableDirectXDatabaseUpdate
+```
+
-
+
+
+This group policy allows control over whether the DirectX Database Updater task will be run on the system.
+
-
-
-This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy, to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy, to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
-
-
-ADMX Info:
-- GP Friendly name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service*
-- GP name: *DisableEnterpriseAuthProxy*
-- GP element: *DisableEnterpriseAuthProxy*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
+
+**Allowed values**:
-
-**System/DisableOneDriveFileSync**
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not disabled. |
+| 1 | Disabled. |
+
-
-The table below shows the applicability of Windows:
+
+**Group policy mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | DisableDirectXDatabaseUpdate |
+| Path | GroupPolicy > AT > Network > DirectXDatabase |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## DisableEnterpriseAuthProxy
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
-Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableEnterpriseAuthProxy
+```
+
-* Users can't access OneDrive from the OneDrive app or file picker.
-* Microsoft Store apps can't access OneDrive using the WinRT API.
+
+
+This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10.
+- If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Enable. |
+| 0 (Default) | Disable. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableEnterpriseAuthProxy |
+| Friendly Name | Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## DisableOneDriveFileSync
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync
+```
+
+
+
+
+This policy setting lets you prevent apps and features from working with files on OneDrive.
+- If you enable this policy setting:
+
+* Users can't access OneDrive from the OneDrive app and file picker.
+* Windows Store apps can't access OneDrive using the WinRT API.
* OneDrive doesn't appear in the navigation pane in File Explorer.
* OneDrive files aren't kept in sync with the cloud.
* Users can't automatically upload photos and videos from the camera roll folder.
-If you disable or don't configure this policy setting, apps and features can work with OneDrive file storage.
+- If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
-
-
-ADMX Info:
-- GP Friendly name: *Prevent the usage of OneDrive for file storage*
-- GP name: *PreventOnedriveFileSync*
-- GP path: *Windows Components/OneDrive*
-- GP ADMX file name: *SkyDrive.admx*
+
+
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 (default) – False (sync enabled).
-- 1 – True (sync disabled).
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-To validate on Desktop, do the following steps:
+
+**Allowed values**:
-1. Enable policy.
-2. Restart machine.
-3. Verify that OneDrive.exe isn't running in Task Manager.
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Sync enabled. |
+| 1 | Sync disabled. |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | PreventOnedriveFileSync |
+| Friendly Name | Prevent the usage of OneDrive for file storage |
+| Location | Computer Configuration |
+| Path | Windows Components > OneDrive |
+| Registry Key Name | Software\Policies\Microsoft\Windows\OneDrive |
+| Registry Value Name | DisableFileSyncNGSC |
+| ADMX File Name | SkyDrive.admx |
+
-
-**System/DisableSystemRestore**
+
+
+
-
-The table below shows the applicability of Windows:
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## DisableOneSettingsDownloads
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableOneSettingsDownloads
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy setting controls whether Windows attempts to connect with the OneSettings service.
-
+- If you enable this policy, Windows will not attempt to connect with the OneSettings Service.
-
-
+- If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the OneSettings service to download configuration settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not disabled. |
+| 1 | Disabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableOneSettingsDownloads |
+| Friendly Name | Disable OneSettings Downloads |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## DisableSystemRestore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/DisableSystemRestore
+```
+
+
+
+
Allows you to disable System Restore.
This policy setting allows you to turn off System Restore.
-System Restore enables users, in case of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
+System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
-If you enable this policy setting, System Restore is turned off, then System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
+- If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
-If you disable or don't configure this policy setting, users can perform System Restore, and configure System Restore settings through System Protection.
+- If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
+
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Turn off System Restore*
-- GP name: *SR_DisableSR*
-- GP path: *System/System Restore*
-- GP ADMX file name: *systemrestore.admx*
-
-
-
-
-
-
-
-**System/FeedbackHubAlwaysSaveDiagnosticsLocally**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-When feedback in the Feedback Hub is being filed, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations.
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so.
-- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted.
-
-
-
-
-
-
-
-**System/LimitDiagnosticLogCollection**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection.
-
-If you disable or don't configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data.
-
-
-
-ADMX Info:
-- GP Friendly name: *Limit Diagnostic Log Collection*
-- GP name: *LimitDiagnosticLogCollection*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 – Disabled
-- 1 – Enabled
-
-
-
-
-
-
-
-**System/LimitDumpCollection**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data.
-
-With this policy setting being enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only.
-
-If you disable or don't configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.
-
-
-
-ADMX Info:
-- GP Friendly name: *Limit Dump Collection*
-- GP name: *LimitDumpCollection*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 – Disabled
-- 1 – Enabled
-
-
-
-
-
-
-**System/LimitEnhancedDiagnosticDataWindowsAnalytics**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
-
-To enable this behavior, you must complete two steps:
-
- 1. Enable this policy setting.
-
- 2. Set the **AllowTelemetry** level:
-
- - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced.
-
- > [!NOTE]
- > **Enhanced** is no longer an option for Windows Holographic, version 21H1.
-
- - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full).
-
-When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics.
-
-Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft.
-
-If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
-
-
-
-ADMX Info:
-- GP Friendly name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics*
-- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics*
-- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-
-
-
-
-**System/TelemetryProxy**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there's no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data won't be transmitted and will remain on the local device.
-
-If you disable or don't configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Connected User Experiences and Telemetry*
-- GP name: *TelemetryProxy*
-- GP element: *TelemetryProxyName*
-- GP path: *Data Collection and Preview Builds*
-- GP ADMX file name: *DataCollection.admx*
-
-
-
-
-
-
-
-**System/TurnOffFileHistory**
-
-
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SR_DisableSR |
+| Friendly Name | Turn off System Restore |
+| Location | Computer Configuration |
+| Path | System > System Restore |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\SystemRestore |
+| Registry Value Name | DisableSR |
+| ADMX File Name | SystemRestore.admx |
+
+
+
+
+
+
+
+
+
+## EnableOneSettingsAuditing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/EnableOneSettingsAuditing
+```
+
+
+
+
+This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog.
+
+- If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel.
+
+- If you disable or don't configure this policy setting, Windows will not record attempts to connect with the OneSettings service to the EventLog.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableOneSettingsAuditing |
+| Friendly Name | Enable OneSettings Auditing |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## FeedbackHubAlwaysSaveDiagnosticsLocally
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/FeedbackHubAlwaysSaveDiagnosticsLocally
+```
+
+
+
+
+Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. |
+| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. |
+
+
+
+
+
+
+
+
+
+## HideUnsupportedHardwareNotifications
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/HideUnsupportedHardwareNotifications
+```
+
+
+
+
+This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version.
+
+- If you enable this policy setting, these messages will never appear on desktop or in the Settings app.
+
+- If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements for this OS version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | HideUnsupportedHardwareNotifications |
+| Friendly Name | Hide messages when Windows system requirements are not met |
+| Location | Computer Configuration |
+| Path | System |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideUnsupportedHardwareNotifications |
+| ADMX File Name | ControlPanel.admx |
+
+
+
+
+
+
+
+
+
+## LimitDiagnosticLogCollection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection
+```
+
+
+
+
+This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data.
+
+By enabling this policy setting, diagnostic logs will not be collected.
+
+- If you disable or do not configure this policy setting, we may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LimitDiagnosticLogCollection |
+| Friendly Name | Limit Diagnostic Log Collection |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## LimitDumpCollection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection
+```
+
+
+
+
+This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data.
+
+By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps.
+
+- If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LimitDumpCollection |
+| Friendly Name | Limit Dump Collection |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## LimitEnhancedDiagnosticDataWindowsAnalytics
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics
+```
+
+
+
+
+This policy setting, in combination with the "Allow Diagnostic Data" policy setting, enables organizations to send the minimum data required by Desktop Analytics.
+
+To enable the behavior described above, complete the following steps:
+
+1. Enable this policy setting
+2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data"
+
+3. Enable the "Limit Dump Collection" policy
+4. Enable the "Limit Diagnostic Log Collection" policy
+
+When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at .
+
+- If you disable or do not configure this policy setting, diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting or by the end user from the Settings app.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LimitEnhancedDiagnosticDataWindowsAnalytics |
+| Friendly Name | Limit optional diagnostic data for Desktop Analytics |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## TelemetryProxy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/TelemetryProxy
+```
+
+
+
+
+Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is ``:``. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+- If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TelemetryProxy |
+| Friendly Name | Configure Connected User Experiences and Telemetry |
+| Element Name | Proxy Server Name |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Data Collection and Preview Builds |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection |
+| ADMX File Name | DataCollection.admx |
+
+
+
+
+
+
+
+
+
+## TurnOffFileHistory
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/System/TurnOffFileHistory
+```
+
+
+
+
This policy setting allows you to turn off File History.
-If you enable this policy setting, File History can't be activated to create regular, automatic backups.
+- If you enable this policy setting, File History cannot be activated to create regular, automatic backups.
-If you disable or don't configure this policy setting, File History can be activated to create regular, automatic backups.
+- If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn off File History*
-- GP name: *DisableFileHistory*
-- GP path: *Windows Components/File History*
-- GP ADMX file name: *FileHistory.admx*
+
+
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- false (default) - allow File History
-- true - turn off File History
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allow file history. |
+| 1 | Turn off file history. |
+
-
+
+**Group policy mapping**:
-## Related topics
+| Name | Value |
+|:--|:--|
+| Name | DisableFileHistory |
+| Friendly Name | Turn off File History |
+| Location | Computer Configuration |
+| Path | Windows Components > File History |
+| Registry Key Name | Software\Policies\Microsoft\Windows\FileHistory |
+| Registry Value Name | Disabled |
+| ADMX File Name | FileHistory.admx |
+
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
deleted file mode 100644
index 404702922b..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows
-description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: dougeby
-ms.technology: itpro-configure
----
-
-# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
-
-Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant information at any given time. This information can even include getting company-specific news that surfaces when the person is meeting with a representative from another company.
-
->[!NOTE]
->For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
-
-
-
-## Turn on Cortana with Dynamics CRM in your organization
-You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](/dynamics365/marketing/marketing-preview-features).
-
-**To turn on Cortana with Dynamics CRM**
-
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box.
-
-4. For each preview feature you want to enable, click **Yes**.
-
-## Turn on Cortana with Dynamics CRM on your employees’ devices
-You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM.
-
-**To turn on local Cortana with Dynamics CRM**
-
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
-
-2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
-
- 
-
- The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
-
-## Turn off Cortana with Dynamics CRM
-Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off.
-
-**To turn off Cortana with Dynamics CRM**
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Click **No** for **Cortana**.
-
- All Dynamics CRM functionality related to Cortana is turned off in your organization.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
deleted file mode 100644
index daec3595bb..0000000000
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: Set up and test Cortana for Power BI in your organization (Windows)
-description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
-ms.prod: windows-client
-author: aczechowski
-ms.localizationpriority: medium
-ms.author: aaroncz
-ms.date: 10/05/2017
-ms.reviewer:
-manager: dougeby
-ms.technology: itpro-configure
----
-
-# Set up and test Cortana for Power BI in your organization
-
->[!IMPORTANT]
->Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
-
-Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
-
->[!Note]
->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
-
-## Before you begin
-To use this walkthrough, you’ll need:
-
-- **Windows 10 or Windows 11**. You’ll need your PC to be running at least Windows 10, version 1703 or later, or Windows 11.
-
-- **Cortana**. You need to have Cortana turned on and be logged into your account.
-
-- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
-
-- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
-
- **To connect your account to Windows**
-
- a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
-
- b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
-
-## Set up your test environment for Cortana for Power BI
-Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
-
-**To set up your test environment with Cortana and Power BI**
-
-1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
-
-2. Expand the left rail by clicking the **Show the navigation pane** icon.
-
- 
-
-3. Click **Get Data** from the left-hand navigation in Power BI.
-
- 
-
-4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
-
- 
-
-5. Click **Retail Analysis Sample**, and then click **Connect**.
-
- 
-
- The sample data is imported and you’re returned to the **Power BI** screen.
-
-6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
-
- 
-
-7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
-
- 
-
-8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
-
-9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
-
- 
-
- >[!NOTE]
- >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
-
-## Create a custom Answer Page for Cortana
-You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
-
-After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
-
->[!NOTE]
->It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.
-
-**To create a custom sales data Answer Page for Cortana**
-1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
-
- 
-
-2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
-
- A blank report page appears.
-
-3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
-
- 
-
-4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
-
- 
-
- The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
-
-5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box.
-
- The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
-
- 
-
-6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
-
- Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows, or otherwise restart Cortana, before the new content appears.
-
-## Test Scenario: Use Cortana to show info from Power BI in your organization
-Now that you’ve set up your device, you can use Cortana to show your info from within Power BI.
-
-**To use Cortana with Power BI**
-1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-2. Type _This year in sales_.
-
- Cortana shows you the available results.
-
- 
-
-3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
-
- Cortana returns your custom report.
-
- 
-
->[!NOTE]
->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/configuration/cortana-at-work/images/cortana-about-me.png b/windows/configuration/cortana-at-work/images/cortana-about-me.png
deleted file mode 100644
index 32c1ccefab..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-about-me.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-add-reminder.png b/windows/configuration/cortana-at-work/images/cortana-add-reminder.png
deleted file mode 100644
index 3f03528e11..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-add-reminder.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-chicago-weather.png b/windows/configuration/cortana-at-work/images/cortana-chicago-weather.png
deleted file mode 100644
index 9273bf201b..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-chicago-weather.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-communication-history-permissions.png b/windows/configuration/cortana-at-work/images/cortana-communication-history-permissions.png
deleted file mode 100644
index db182be13c..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-communication-history-permissions.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-complete-send-email-coworker-mic.png b/windows/configuration/cortana-at-work/images/cortana-complete-send-email-coworker-mic.png
deleted file mode 100644
index 3238c8d31d..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-complete-send-email-coworker-mic.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-connect-crm.png b/windows/configuration/cortana-at-work/images/cortana-connect-crm.png
deleted file mode 100644
index c70c42f75e..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-connect-crm.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-connect-o365.png b/windows/configuration/cortana-at-work/images/cortana-connect-o365.png
deleted file mode 100644
index df1ffa449b..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-connect-o365.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-connect-uber.png b/windows/configuration/cortana-at-work/images/cortana-connect-uber.png
deleted file mode 100644
index 724fecb5b5..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-connect-uber.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-crm-screen.png b/windows/configuration/cortana-at-work/images/cortana-crm-screen.png
deleted file mode 100644
index ded5d80a59..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-crm-screen.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-feedback.png b/windows/configuration/cortana-at-work/images/cortana-feedback.png
deleted file mode 100644
index 6e14018c98..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-feedback.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-final-reminder.png b/windows/configuration/cortana-at-work/images/cortana-final-reminder.png
deleted file mode 100644
index f114e058e5..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-final-reminder.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-meeting-specific-time.png b/windows/configuration/cortana-at-work/images/cortana-meeting-specific-time.png
deleted file mode 100644
index a108355133..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-meeting-specific-time.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-meeting-tomorrow.png b/windows/configuration/cortana-at-work/images/cortana-meeting-tomorrow.png
deleted file mode 100644
index 13273b6600..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-meeting-tomorrow.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-newyork-weather.png b/windows/configuration/cortana-at-work/images/cortana-newyork-weather.png
deleted file mode 100644
index b3879737be..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-newyork-weather.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-o365-screen.png b/windows/configuration/cortana-at-work/images/cortana-o365-screen.png
deleted file mode 100644
index ba06dd6de5..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-o365-screen.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-place-reminder.png b/windows/configuration/cortana-at-work/images/cortana-place-reminder.png
deleted file mode 100644
index 89ccdab3e3..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-place-reminder.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-create-report.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-create-report.png
deleted file mode 100644
index a22789d72a..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-create-report.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-expand-nav.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-expand-nav.png
deleted file mode 100644
index c8b47943f9..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-expand-nav.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-field-selection.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-field-selection.png
deleted file mode 100644
index 8aef58c23a..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-field-selection.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata-samples.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata-samples.png
deleted file mode 100644
index 3bfa4792df..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata-samples.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata.png
deleted file mode 100644
index 55b7b61589..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-getdata.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-myreport.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-myreport.png
deleted file mode 100644
index cc04d9c6f0..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-myreport.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-pagesize.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-pagesize.png
deleted file mode 100644
index fd1c1ef917..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-pagesize.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-report-qna.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-report-qna.png
deleted file mode 100644
index d17949aa8a..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-report-qna.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dashboard.png
deleted file mode 100644
index 5b94a2e2fc..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dashboard.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dataset.png
deleted file mode 100644
index b2ffec3b70..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-dataset.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-sample.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-sample.png
deleted file mode 100644
index e3b61dcaa2..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-retail-analysis-sample.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-search.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-search.png
deleted file mode 100644
index 88a8b40296..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-search.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-powerbi-settings.png b/windows/configuration/cortana-at-work/images/cortana-powerbi-settings.png
deleted file mode 100644
index 0f51229895..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-powerbi-settings.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-redmond-weather.png b/windows/configuration/cortana-at-work/images/cortana-redmond-weather.png
deleted file mode 100644
index 7e8adc1929..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-redmond-weather.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-reminder-edit.png b/windows/configuration/cortana-at-work/images/cortana-reminder-edit.png
deleted file mode 100644
index 79cc280947..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-reminder-edit.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-reminder-list.png b/windows/configuration/cortana-at-work/images/cortana-reminder-list.png
deleted file mode 100644
index 1f57fc0f05..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-reminder-list.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-reminder-mic.png b/windows/configuration/cortana-at-work/images/cortana-reminder-mic.png
deleted file mode 100644
index 46a18e8e0b..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-reminder-mic.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-reminder-pending-mic.png b/windows/configuration/cortana-at-work/images/cortana-reminder-pending-mic.png
deleted file mode 100644
index 159d408e0a..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-reminder-pending-mic.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-reminder-pending.png b/windows/configuration/cortana-at-work/images/cortana-reminder-pending.png
deleted file mode 100644
index a6b64b5621..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-reminder-pending.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-send-email-coworker-mic.png b/windows/configuration/cortana-at-work/images/cortana-send-email-coworker-mic.png
deleted file mode 100644
index 0cfa8fb731..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-send-email-coworker-mic.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-send-email-coworker.png b/windows/configuration/cortana-at-work/images/cortana-send-email-coworker.png
deleted file mode 100644
index 40ce18bdca..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-send-email-coworker.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-suggested-reminder-settings.png b/windows/configuration/cortana-at-work/images/cortana-suggested-reminder-settings.png
deleted file mode 100644
index 176dbff483..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-suggested-reminder-settings.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-suggested-reminder.png b/windows/configuration/cortana-at-work/images/cortana-suggested-reminder.png
deleted file mode 100644
index 4184bd1b6c..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-suggested-reminder.png and /dev/null differ
diff --git a/windows/configuration/cortana-at-work/images/cortana-weather-multipanel.png b/windows/configuration/cortana-at-work/images/cortana-weather-multipanel.png
deleted file mode 100644
index e8db031744..0000000000
Binary files a/windows/configuration/cortana-at-work/images/cortana-weather-multipanel.png and /dev/null differ
diff --git a/windows/configuration/images/ActionCenterXML.jpg b/windows/configuration/images/ActionCenterXML.jpg
deleted file mode 100644
index b9832b2708..0000000000
Binary files a/windows/configuration/images/ActionCenterXML.jpg and /dev/null differ
diff --git a/windows/configuration/images/AppsXML.jpg b/windows/configuration/images/AppsXML.jpg
deleted file mode 100644
index ecc1869bb5..0000000000
Binary files a/windows/configuration/images/AppsXML.jpg and /dev/null differ
diff --git a/windows/configuration/images/AppsXML.png b/windows/configuration/images/AppsXML.png
deleted file mode 100644
index 3981543264..0000000000
Binary files a/windows/configuration/images/AppsXML.png and /dev/null differ
diff --git a/windows/configuration/images/ButtonsXML.jpg b/windows/configuration/images/ButtonsXML.jpg
deleted file mode 100644
index 238eca7e68..0000000000
Binary files a/windows/configuration/images/ButtonsXML.jpg and /dev/null differ
diff --git a/windows/configuration/images/CSPRunnerXML.jpg b/windows/configuration/images/CSPRunnerXML.jpg
deleted file mode 100644
index 071b316a9e..0000000000
Binary files a/windows/configuration/images/CSPRunnerXML.jpg and /dev/null differ
diff --git a/windows/configuration/images/ICDstart-option.PNG b/windows/configuration/images/ICDstart-option.PNG
deleted file mode 100644
index 1ba49bb261..0000000000
Binary files a/windows/configuration/images/ICDstart-option.PNG and /dev/null differ
diff --git a/windows/configuration/images/ISE.PNG b/windows/configuration/images/ISE.PNG
deleted file mode 100644
index edf53101f4..0000000000
Binary files a/windows/configuration/images/ISE.PNG and /dev/null differ
diff --git a/windows/configuration/images/MenuItemsXML.png b/windows/configuration/images/MenuItemsXML.png
deleted file mode 100644
index cc681250bb..0000000000
Binary files a/windows/configuration/images/MenuItemsXML.png and /dev/null differ
diff --git a/windows/configuration/images/PoC-big.png b/windows/configuration/images/PoC-big.png
deleted file mode 100644
index de73506071..0000000000
Binary files a/windows/configuration/images/PoC-big.png and /dev/null differ
diff --git a/windows/configuration/images/PoC.png b/windows/configuration/images/PoC.png
deleted file mode 100644
index 6d7b7eb5af..0000000000
Binary files a/windows/configuration/images/PoC.png and /dev/null differ
diff --git a/windows/configuration/images/SettingsXML.png b/windows/configuration/images/SettingsXML.png
deleted file mode 100644
index 98a324bdea..0000000000
Binary files a/windows/configuration/images/SettingsXML.png and /dev/null differ
diff --git a/windows/configuration/images/Shared_PC_1.jpg b/windows/configuration/images/Shared_PC_1.jpg
deleted file mode 100644
index 7b993b00a8..0000000000
Binary files a/windows/configuration/images/Shared_PC_1.jpg and /dev/null differ
diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png
deleted file mode 100644
index c9d2362634..0000000000
Binary files a/windows/configuration/images/Shared_PC_2.png and /dev/null differ
diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png
deleted file mode 100644
index 83b3a66fc8..0000000000
Binary files a/windows/configuration/images/Shared_PC_3.png and /dev/null differ
diff --git a/windows/configuration/images/StartGrid.jpg b/windows/configuration/images/StartGrid.jpg
deleted file mode 100644
index 36136f3201..0000000000
Binary files a/windows/configuration/images/StartGrid.jpg and /dev/null differ
diff --git a/windows/configuration/images/StartGridPinnedApps.jpg b/windows/configuration/images/StartGridPinnedApps.jpg
deleted file mode 100644
index fbade52f53..0000000000
Binary files a/windows/configuration/images/StartGridPinnedApps.jpg and /dev/null differ
diff --git a/windows/configuration/images/TilesXML.png b/windows/configuration/images/TilesXML.png
deleted file mode 100644
index cec52bbbf7..0000000000
Binary files a/windows/configuration/images/TilesXML.png and /dev/null differ
diff --git a/windows/configuration/images/account-management.PNG b/windows/configuration/images/account-management.PNG
deleted file mode 100644
index 34165dfcd6..0000000000
Binary files a/windows/configuration/images/account-management.PNG and /dev/null differ
diff --git a/windows/configuration/images/add-applications.PNG b/windows/configuration/images/add-applications.PNG
deleted file mode 100644
index 2316deb2fd..0000000000
Binary files a/windows/configuration/images/add-applications.PNG and /dev/null differ
diff --git a/windows/configuration/images/add-certificates.PNG b/windows/configuration/images/add-certificates.PNG
deleted file mode 100644
index 24cb605d1c..0000000000
Binary files a/windows/configuration/images/add-certificates.PNG and /dev/null differ
diff --git a/windows/configuration/images/adk-install.png b/windows/configuration/images/adk-install.png
deleted file mode 100644
index c087d3bae5..0000000000
Binary files a/windows/configuration/images/adk-install.png and /dev/null differ
diff --git a/windows/configuration/images/admin-tools-folder.png b/windows/configuration/images/admin-tools-folder.png
deleted file mode 100644
index 4831204f73..0000000000
Binary files a/windows/configuration/images/admin-tools-folder.png and /dev/null differ
diff --git a/windows/configuration/images/admin-tools.png b/windows/configuration/images/admin-tools.png
deleted file mode 100644
index 1470cffdd5..0000000000
Binary files a/windows/configuration/images/admin-tools.png and /dev/null differ
diff --git a/windows/configuration/images/allow-rdp.png b/windows/configuration/images/allow-rdp.png
deleted file mode 100644
index 55c13b53bc..0000000000
Binary files a/windows/configuration/images/allow-rdp.png and /dev/null differ
diff --git a/windows/configuration/images/app-v-in-adk.png b/windows/configuration/images/app-v-in-adk.png
deleted file mode 100644
index a36ef9f00f..0000000000
Binary files a/windows/configuration/images/app-v-in-adk.png and /dev/null differ
diff --git a/windows/configuration/images/apps.png b/windows/configuration/images/apps.png
deleted file mode 100644
index 5cb3b7ec8f..0000000000
Binary files a/windows/configuration/images/apps.png and /dev/null differ
diff --git a/windows/configuration/images/azureadjoined.png b/windows/configuration/images/azureadjoined.png
deleted file mode 100644
index e1babffb8d..0000000000
Binary files a/windows/configuration/images/azureadjoined.png and /dev/null differ
diff --git a/windows/configuration/images/backicon.png b/windows/configuration/images/backicon.png
deleted file mode 100644
index 3007e448b1..0000000000
Binary files a/windows/configuration/images/backicon.png and /dev/null differ
diff --git a/windows/configuration/images/bulk-enroll-mobile-details.PNG b/windows/configuration/images/bulk-enroll-mobile-details.PNG
deleted file mode 100644
index 8329d39cfc..0000000000
Binary files a/windows/configuration/images/bulk-enroll-mobile-details.PNG and /dev/null differ
diff --git a/windows/configuration/images/bulk-enroll-mobile.PNG b/windows/configuration/images/bulk-enroll-mobile.PNG
deleted file mode 100644
index 812b57e8e0..0000000000
Binary files a/windows/configuration/images/bulk-enroll-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/check_blu.png b/windows/configuration/images/check_blu.png
deleted file mode 100644
index d5c703760f..0000000000
Binary files a/windows/configuration/images/check_blu.png and /dev/null differ
diff --git a/windows/configuration/images/check_grn.png b/windows/configuration/images/check_grn.png
deleted file mode 100644
index f9f04cd6bd..0000000000
Binary files a/windows/configuration/images/check_grn.png and /dev/null differ
diff --git a/windows/configuration/images/checklistbox.gif b/windows/configuration/images/checklistbox.gif
deleted file mode 100644
index cbcf4a4f11..0000000000
Binary files a/windows/configuration/images/checklistbox.gif and /dev/null differ
diff --git a/windows/configuration/images/checklistdone.png b/windows/configuration/images/checklistdone.png
deleted file mode 100644
index 7e53f74d0e..0000000000
Binary files a/windows/configuration/images/checklistdone.png and /dev/null differ
diff --git a/windows/configuration/images/checkmark.png b/windows/configuration/images/checkmark.png
deleted file mode 100644
index f9f04cd6bd..0000000000
Binary files a/windows/configuration/images/checkmark.png and /dev/null differ
diff --git a/windows/configuration/images/config-policy.png b/windows/configuration/images/config-policy.png
deleted file mode 100644
index b9cba70af6..0000000000
Binary files a/windows/configuration/images/config-policy.png and /dev/null differ
diff --git a/windows/configuration/images/config-source.png b/windows/configuration/images/config-source.png
deleted file mode 100644
index 58938bacf7..0000000000
Binary files a/windows/configuration/images/config-source.png and /dev/null differ
diff --git a/windows/configuration/images/configconflict.png b/windows/configuration/images/configconflict.png
deleted file mode 100644
index 011a2d76e7..0000000000
Binary files a/windows/configuration/images/configconflict.png and /dev/null differ
diff --git a/windows/configuration/images/configmgr-asset.PNG b/windows/configuration/images/configmgr-asset.PNG
deleted file mode 100644
index 4dacaeb565..0000000000
Binary files a/windows/configuration/images/configmgr-asset.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-client.PNG b/windows/configuration/images/configmgr-client.PNG
deleted file mode 100644
index 45e0ad8883..0000000000
Binary files a/windows/configuration/images/configmgr-client.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-collection.PNG b/windows/configuration/images/configmgr-collection.PNG
deleted file mode 100644
index 01a1cca4a8..0000000000
Binary files a/windows/configuration/images/configmgr-collection.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG
deleted file mode 100644
index 53b314b132..0000000000
Binary files a/windows/configuration/images/configmgr-install-os.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG
deleted file mode 100644
index e116e04312..0000000000
Binary files a/windows/configuration/images/configmgr-post-refresh.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG
deleted file mode 100644
index 39cb22c075..0000000000
Binary files a/windows/configuration/images/configmgr-pxe.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-site.PNG b/windows/configuration/images/configmgr-site.PNG
deleted file mode 100644
index 92319fdbf7..0000000000
Binary files a/windows/configuration/images/configmgr-site.PNG and /dev/null differ
diff --git a/windows/configuration/images/configmgr-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG
deleted file mode 100644
index 9c920c6d39..0000000000
Binary files a/windows/configuration/images/configmgr-software-cntr.PNG and /dev/null differ
diff --git a/windows/configuration/images/connect-aad.png b/windows/configuration/images/connect-aad.png
deleted file mode 100644
index 8583866165..0000000000
Binary files a/windows/configuration/images/connect-aad.png and /dev/null differ
diff --git a/windows/configuration/images/convert.png b/windows/configuration/images/convert.png
deleted file mode 100644
index 224e763bc0..0000000000
Binary files a/windows/configuration/images/convert.png and /dev/null differ
diff --git a/windows/configuration/images/copy-to-change.png b/windows/configuration/images/copy-to-change.png
deleted file mode 100644
index 21aa250c0c..0000000000
Binary files a/windows/configuration/images/copy-to-change.png and /dev/null differ
diff --git a/windows/configuration/images/copy-to-path.png b/windows/configuration/images/copy-to-path.png
deleted file mode 100644
index 1ef00fc86b..0000000000
Binary files a/windows/configuration/images/copy-to-path.png and /dev/null differ
diff --git a/windows/configuration/images/copy-to.PNG b/windows/configuration/images/copy-to.PNG
deleted file mode 100644
index dad84cedc8..0000000000
Binary files a/windows/configuration/images/copy-to.PNG and /dev/null differ
diff --git a/windows/configuration/images/cortana-about-me.png b/windows/configuration/images/cortana-about-me.png
deleted file mode 100644
index 32c1ccefab..0000000000
Binary files a/windows/configuration/images/cortana-about-me.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-add-reminder.png b/windows/configuration/images/cortana-add-reminder.png
deleted file mode 100644
index 3f03528e11..0000000000
Binary files a/windows/configuration/images/cortana-add-reminder.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-chicago-weather.png b/windows/configuration/images/cortana-chicago-weather.png
deleted file mode 100644
index 9273bf201b..0000000000
Binary files a/windows/configuration/images/cortana-chicago-weather.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-communication-history-permissions.png b/windows/configuration/images/cortana-communication-history-permissions.png
deleted file mode 100644
index db182be13c..0000000000
Binary files a/windows/configuration/images/cortana-communication-history-permissions.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-complete-send-email-coworker-mic.png b/windows/configuration/images/cortana-complete-send-email-coworker-mic.png
deleted file mode 100644
index 3238c8d31d..0000000000
Binary files a/windows/configuration/images/cortana-complete-send-email-coworker-mic.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-connect-crm.png b/windows/configuration/images/cortana-connect-crm.png
deleted file mode 100644
index c70c42f75e..0000000000
Binary files a/windows/configuration/images/cortana-connect-crm.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-connect-o365.png b/windows/configuration/images/cortana-connect-o365.png
deleted file mode 100644
index df1ffa449b..0000000000
Binary files a/windows/configuration/images/cortana-connect-o365.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-crm-screen.png b/windows/configuration/images/cortana-crm-screen.png
deleted file mode 100644
index ded5d80a59..0000000000
Binary files a/windows/configuration/images/cortana-crm-screen.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-feedback.png b/windows/configuration/images/cortana-feedback.png
deleted file mode 100644
index 6e14018c98..0000000000
Binary files a/windows/configuration/images/cortana-feedback.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-final-reminder.png b/windows/configuration/images/cortana-final-reminder.png
deleted file mode 100644
index f114e058e5..0000000000
Binary files a/windows/configuration/images/cortana-final-reminder.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-meeting-specific-time.png b/windows/configuration/images/cortana-meeting-specific-time.png
deleted file mode 100644
index a108355133..0000000000
Binary files a/windows/configuration/images/cortana-meeting-specific-time.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-meeting-tomorrow.png b/windows/configuration/images/cortana-meeting-tomorrow.png
deleted file mode 100644
index 13273b6600..0000000000
Binary files a/windows/configuration/images/cortana-meeting-tomorrow.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-newyork-weather.png b/windows/configuration/images/cortana-newyork-weather.png
deleted file mode 100644
index b3879737be..0000000000
Binary files a/windows/configuration/images/cortana-newyork-weather.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-o365-screen.png b/windows/configuration/images/cortana-o365-screen.png
deleted file mode 100644
index ba06dd6de5..0000000000
Binary files a/windows/configuration/images/cortana-o365-screen.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-place-reminder.png b/windows/configuration/images/cortana-place-reminder.png
deleted file mode 100644
index 89ccdab3e3..0000000000
Binary files a/windows/configuration/images/cortana-place-reminder.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-create-report.png b/windows/configuration/images/cortana-powerbi-create-report.png
deleted file mode 100644
index a22789d72a..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-create-report.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-expand-nav.png b/windows/configuration/images/cortana-powerbi-expand-nav.png
deleted file mode 100644
index c8b47943f9..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-expand-nav.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-field-selection.png b/windows/configuration/images/cortana-powerbi-field-selection.png
deleted file mode 100644
index 8aef58c23a..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-field-selection.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-getdata-samples.png b/windows/configuration/images/cortana-powerbi-getdata-samples.png
deleted file mode 100644
index 3bfa4792df..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-getdata-samples.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-getdata.png b/windows/configuration/images/cortana-powerbi-getdata.png
deleted file mode 100644
index 55b7b61589..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-getdata.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-myreport.png b/windows/configuration/images/cortana-powerbi-myreport.png
deleted file mode 100644
index cc04d9c6f0..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-myreport.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-pagesize.png b/windows/configuration/images/cortana-powerbi-pagesize.png
deleted file mode 100644
index fd1c1ef917..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-pagesize.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-report-qna.png b/windows/configuration/images/cortana-powerbi-report-qna.png
deleted file mode 100644
index d17949aa8a..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-report-qna.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configuration/images/cortana-powerbi-retail-analysis-dashboard.png
deleted file mode 100644
index 5b94a2e2fc..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-retail-analysis-dashboard.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configuration/images/cortana-powerbi-retail-analysis-dataset.png
deleted file mode 100644
index b2ffec3b70..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-retail-analysis-dataset.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-retail-analysis-sample.png b/windows/configuration/images/cortana-powerbi-retail-analysis-sample.png
deleted file mode 100644
index e3b61dcaa2..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-retail-analysis-sample.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-search.png b/windows/configuration/images/cortana-powerbi-search.png
deleted file mode 100644
index 88a8b40296..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-search.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-powerbi-settings.png b/windows/configuration/images/cortana-powerbi-settings.png
deleted file mode 100644
index 0f51229895..0000000000
Binary files a/windows/configuration/images/cortana-powerbi-settings.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-redmond-weather.png b/windows/configuration/images/cortana-redmond-weather.png
deleted file mode 100644
index 7e8adc1929..0000000000
Binary files a/windows/configuration/images/cortana-redmond-weather.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-reminder-edit.png b/windows/configuration/images/cortana-reminder-edit.png
deleted file mode 100644
index 79cc280947..0000000000
Binary files a/windows/configuration/images/cortana-reminder-edit.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-reminder-list.png b/windows/configuration/images/cortana-reminder-list.png
deleted file mode 100644
index 1f57fc0f05..0000000000
Binary files a/windows/configuration/images/cortana-reminder-list.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-reminder-mic.png b/windows/configuration/images/cortana-reminder-mic.png
deleted file mode 100644
index 46a18e8e0b..0000000000
Binary files a/windows/configuration/images/cortana-reminder-mic.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-reminder-pending-mic.png b/windows/configuration/images/cortana-reminder-pending-mic.png
deleted file mode 100644
index 159d408e0a..0000000000
Binary files a/windows/configuration/images/cortana-reminder-pending-mic.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-reminder-pending.png b/windows/configuration/images/cortana-reminder-pending.png
deleted file mode 100644
index a6b64b5621..0000000000
Binary files a/windows/configuration/images/cortana-reminder-pending.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-send-email-coworker-mic.png b/windows/configuration/images/cortana-send-email-coworker-mic.png
deleted file mode 100644
index 0cfa8fb731..0000000000
Binary files a/windows/configuration/images/cortana-send-email-coworker-mic.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-send-email-coworker.png b/windows/configuration/images/cortana-send-email-coworker.png
deleted file mode 100644
index 40ce18bdca..0000000000
Binary files a/windows/configuration/images/cortana-send-email-coworker.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-suggested-reminder-settings.png b/windows/configuration/images/cortana-suggested-reminder-settings.png
deleted file mode 100644
index 176dbff483..0000000000
Binary files a/windows/configuration/images/cortana-suggested-reminder-settings.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-suggested-reminder.png b/windows/configuration/images/cortana-suggested-reminder.png
deleted file mode 100644
index 4184bd1b6c..0000000000
Binary files a/windows/configuration/images/cortana-suggested-reminder.png and /dev/null differ
diff --git a/windows/configuration/images/cortana-weather-multipanel.png b/windows/configuration/images/cortana-weather-multipanel.png
deleted file mode 100644
index e8db031744..0000000000
Binary files a/windows/configuration/images/cortana-weather-multipanel.png and /dev/null differ
diff --git a/windows/configuration/images/crossmark.png b/windows/configuration/images/crossmark.png
deleted file mode 100644
index 69432ff71c..0000000000
Binary files a/windows/configuration/images/crossmark.png and /dev/null differ
diff --git a/windows/configuration/images/customize-and-export-start-layout.png b/windows/configuration/images/customize-and-export-start-layout.png
deleted file mode 100644
index 41c81ad4d3..0000000000
Binary files a/windows/configuration/images/customize-and-export-start-layout.png and /dev/null differ
diff --git a/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png b/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png
deleted file mode 100644
index 9baebd536f..0000000000
Binary files a/windows/configuration/images/customize-taskbar-windows-11/taskbar-windows-11.png and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-usmt-migrationcomparemigstores.gif b/windows/configuration/images/dep-win8-l-usmt-migrationcomparemigstores.gif
deleted file mode 100644
index c23cf5f98c..0000000000
Binary files a/windows/configuration/images/dep-win8-l-usmt-migrationcomparemigstores.gif and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-usmt-pcrefresh.jpg b/windows/configuration/images/dep-win8-l-usmt-pcrefresh.jpg
deleted file mode 100644
index 79f874d895..0000000000
Binary files a/windows/configuration/images/dep-win8-l-usmt-pcrefresh.jpg and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-usmt-pcreplace.jpg b/windows/configuration/images/dep-win8-l-usmt-pcreplace.jpg
deleted file mode 100644
index 507f783aff..0000000000
Binary files a/windows/configuration/images/dep-win8-l-usmt-pcreplace.jpg and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-vamt-findingcomputerdialog.gif b/windows/configuration/images/dep-win8-l-vamt-findingcomputerdialog.gif
deleted file mode 100644
index 3d745d4a77..0000000000
Binary files a/windows/configuration/images/dep-win8-l-vamt-findingcomputerdialog.gif and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif b/windows/configuration/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif
deleted file mode 100644
index 21fc338e12..0000000000
Binary files a/windows/configuration/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-vamt-image001-enterprise.jpg b/windows/configuration/images/dep-win8-l-vamt-image001-enterprise.jpg
deleted file mode 100644
index b7a1411562..0000000000
Binary files a/windows/configuration/images/dep-win8-l-vamt-image001-enterprise.jpg and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-vamt-makindependentactivationscenario.jpg b/windows/configuration/images/dep-win8-l-vamt-makindependentactivationscenario.jpg
deleted file mode 100644
index 52203b7593..0000000000
Binary files a/windows/configuration/images/dep-win8-l-vamt-makindependentactivationscenario.jpg and /dev/null differ
diff --git a/windows/configuration/images/dep-win8-l-vamt-makproxyactivationscenario.jpg b/windows/configuration/images/dep-win8-l-vamt-makproxyactivationscenario.jpg
deleted file mode 100644
index 3a02a1f17e..0000000000
Binary files a/windows/configuration/images/dep-win8-l-vamt-makproxyactivationscenario.jpg and /dev/null differ
diff --git a/windows/configuration/images/deploy-finish.PNG b/windows/configuration/images/deploy-finish.PNG
deleted file mode 100644
index 4f0d5cb859..0000000000
Binary files a/windows/configuration/images/deploy-finish.PNG and /dev/null differ
diff --git a/windows/configuration/images/deploymentworkflow.png b/windows/configuration/images/deploymentworkflow.png
deleted file mode 100644
index b665a0bfea..0000000000
Binary files a/windows/configuration/images/deploymentworkflow.png and /dev/null differ
diff --git a/windows/configuration/images/developer-setup.PNG b/windows/configuration/images/developer-setup.PNG
deleted file mode 100644
index 8c93d5ed91..0000000000
Binary files a/windows/configuration/images/developer-setup.PNG and /dev/null differ
diff --git a/windows/configuration/images/disk2vhd-convert.PNG b/windows/configuration/images/disk2vhd-convert.PNG
deleted file mode 100644
index f0614a5ab1..0000000000
Binary files a/windows/configuration/images/disk2vhd-convert.PNG and /dev/null differ
diff --git a/windows/configuration/images/disk2vhd-gen2.PNG b/windows/configuration/images/disk2vhd-gen2.PNG
deleted file mode 100644
index 7f8d920f9d..0000000000
Binary files a/windows/configuration/images/disk2vhd-gen2.PNG and /dev/null differ
diff --git a/windows/configuration/images/disk2vhd.PNG b/windows/configuration/images/disk2vhd.PNG
deleted file mode 100644
index 7b9835f5f6..0000000000
Binary files a/windows/configuration/images/disk2vhd.PNG and /dev/null differ
diff --git a/windows/configuration/images/disk2vhd4.PNG b/windows/configuration/images/disk2vhd4.PNG
deleted file mode 100644
index 97f9448441..0000000000
Binary files a/windows/configuration/images/disk2vhd4.PNG and /dev/null differ
diff --git a/windows/configuration/images/doneicon.png b/windows/configuration/images/doneicon.png
deleted file mode 100644
index d80389f35b..0000000000
Binary files a/windows/configuration/images/doneicon.png and /dev/null differ
diff --git a/windows/configuration/images/download_vhd.png b/windows/configuration/images/download_vhd.png
deleted file mode 100644
index 248a512040..0000000000
Binary files a/windows/configuration/images/download_vhd.png and /dev/null differ
diff --git a/windows/configuration/images/e3-activated.png b/windows/configuration/images/e3-activated.png
deleted file mode 100644
index 7cca73443e..0000000000
Binary files a/windows/configuration/images/e3-activated.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-ad-connect.png b/windows/configuration/images/enterprise-e3-ad-connect.png
deleted file mode 100644
index 195058f6f6..0000000000
Binary files a/windows/configuration/images/enterprise-e3-ad-connect.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-choose-how.png b/windows/configuration/images/enterprise-e3-choose-how.png
deleted file mode 100644
index 8e84535bfd..0000000000
Binary files a/windows/configuration/images/enterprise-e3-choose-how.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-connect-to-work-or-school.png b/windows/configuration/images/enterprise-e3-connect-to-work-or-school.png
deleted file mode 100644
index 90e1b1131f..0000000000
Binary files a/windows/configuration/images/enterprise-e3-connect-to-work-or-school.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-lets-get-2.png b/windows/configuration/images/enterprise-e3-lets-get-2.png
deleted file mode 100644
index ef523d4af8..0000000000
Binary files a/windows/configuration/images/enterprise-e3-lets-get-2.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-lets-get.png b/windows/configuration/images/enterprise-e3-lets-get.png
deleted file mode 100644
index 582da1ab2d..0000000000
Binary files a/windows/configuration/images/enterprise-e3-lets-get.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-set-up-work-or-school.png b/windows/configuration/images/enterprise-e3-set-up-work-or-school.png
deleted file mode 100644
index 72844d7622..0000000000
Binary files a/windows/configuration/images/enterprise-e3-set-up-work-or-school.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-sign-in.png b/windows/configuration/images/enterprise-e3-sign-in.png
deleted file mode 100644
index 3029d3ef2b..0000000000
Binary files a/windows/configuration/images/enterprise-e3-sign-in.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-who-owns.png b/windows/configuration/images/enterprise-e3-who-owns.png
deleted file mode 100644
index c3008869d2..0000000000
Binary files a/windows/configuration/images/enterprise-e3-who-owns.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png b/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png
deleted file mode 100644
index eb888b23b5..0000000000
Binary files a/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png b/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png
deleted file mode 100644
index e4ac7398be..0000000000
Binary files a/windows/configuration/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png b/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png
deleted file mode 100644
index 5fedfe5d06..0000000000
Binary files a/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png and /dev/null differ
diff --git a/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png b/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png
deleted file mode 100644
index 84e39071db..0000000000
Binary files a/windows/configuration/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png and /dev/null differ
diff --git a/windows/configuration/images/export-mgt-desktop.png b/windows/configuration/images/export-mgt-desktop.png
deleted file mode 100644
index 13349c3b4e..0000000000
Binary files a/windows/configuration/images/export-mgt-desktop.png and /dev/null differ
diff --git a/windows/configuration/images/export-mgt-mobile.png b/windows/configuration/images/export-mgt-mobile.png
deleted file mode 100644
index 6a74c23e59..0000000000
Binary files a/windows/configuration/images/export-mgt-mobile.png and /dev/null differ
diff --git a/windows/configuration/images/express-settings.png b/windows/configuration/images/express-settings.png
deleted file mode 100644
index 99e9c4825a..0000000000
Binary files a/windows/configuration/images/express-settings.png and /dev/null differ
diff --git a/windows/configuration/images/fig1-deferupgrades.png b/windows/configuration/images/fig1-deferupgrades.png
deleted file mode 100644
index f8c52b943e..0000000000
Binary files a/windows/configuration/images/fig1-deferupgrades.png and /dev/null differ
diff --git a/windows/configuration/images/fig10-contosoinstall.png b/windows/configuration/images/fig10-contosoinstall.png
deleted file mode 100644
index ac4eaf2aa0..0000000000
Binary files a/windows/configuration/images/fig10-contosoinstall.png and /dev/null differ
diff --git a/windows/configuration/images/fig10-unattend.png b/windows/configuration/images/fig10-unattend.png
deleted file mode 100644
index a9d2bc16df..0000000000
Binary files a/windows/configuration/images/fig10-unattend.png and /dev/null differ
diff --git a/windows/configuration/images/fig13-captureimage.png b/windows/configuration/images/fig13-captureimage.png
deleted file mode 100644
index 678a43ca73..0000000000
Binary files a/windows/configuration/images/fig13-captureimage.png and /dev/null differ
diff --git a/windows/configuration/images/fig16-contentstatus.png b/windows/configuration/images/fig16-contentstatus.png
deleted file mode 100644
index 5ea8ba275a..0000000000
Binary files a/windows/configuration/images/fig16-contentstatus.png and /dev/null differ
diff --git a/windows/configuration/images/fig17-win10image.png b/windows/configuration/images/fig17-win10image.png
deleted file mode 100644
index d16eee554d..0000000000
Binary files a/windows/configuration/images/fig17-win10image.png and /dev/null differ
diff --git a/windows/configuration/images/fig18-distwindows.png b/windows/configuration/images/fig18-distwindows.png
deleted file mode 100644
index d8525ddd3e..0000000000
Binary files a/windows/configuration/images/fig18-distwindows.png and /dev/null differ
diff --git a/windows/configuration/images/fig2-deploymenttimeline.png b/windows/configuration/images/fig2-deploymenttimeline.png
deleted file mode 100644
index a8061d2f15..0000000000
Binary files a/windows/configuration/images/fig2-deploymenttimeline.png and /dev/null differ
diff --git a/windows/configuration/images/fig2-gather.png b/windows/configuration/images/fig2-gather.png
deleted file mode 100644
index 01ffca2770..0000000000
Binary files a/windows/configuration/images/fig2-gather.png and /dev/null differ
diff --git a/windows/configuration/images/fig2-importedos.png b/windows/configuration/images/fig2-importedos.png
deleted file mode 100644
index ed72d2ef4d..0000000000
Binary files a/windows/configuration/images/fig2-importedos.png and /dev/null differ
diff --git a/windows/configuration/images/fig2-taskseq.png b/windows/configuration/images/fig2-taskseq.png
deleted file mode 100644
index 1da70bd6e7..0000000000
Binary files a/windows/configuration/images/fig2-taskseq.png and /dev/null differ
diff --git a/windows/configuration/images/fig21-add-drivers.png b/windows/configuration/images/fig21-add-drivers.png
deleted file mode 100644
index f53fe672e2..0000000000
Binary files a/windows/configuration/images/fig21-add-drivers.png and /dev/null differ
diff --git a/windows/configuration/images/fig22-createcategories.png b/windows/configuration/images/fig22-createcategories.png
deleted file mode 100644
index 8912ad974f..0000000000
Binary files a/windows/configuration/images/fig22-createcategories.png and /dev/null differ
diff --git a/windows/configuration/images/fig27-driverpackage.png b/windows/configuration/images/fig27-driverpackage.png
deleted file mode 100644
index c2f66669be..0000000000
Binary files a/windows/configuration/images/fig27-driverpackage.png and /dev/null differ
diff --git a/windows/configuration/images/fig28-addapp.png b/windows/configuration/images/fig28-addapp.png
deleted file mode 100644
index a7ba6b3709..0000000000
Binary files a/windows/configuration/images/fig28-addapp.png and /dev/null differ
diff --git a/windows/configuration/images/fig3-overlaprelease.png b/windows/configuration/images/fig3-overlaprelease.png
deleted file mode 100644
index 58747a35cf..0000000000
Binary files a/windows/configuration/images/fig3-overlaprelease.png and /dev/null differ
diff --git a/windows/configuration/images/fig30-settingspack.png b/windows/configuration/images/fig30-settingspack.png
deleted file mode 100644
index 3479184140..0000000000
Binary files a/windows/configuration/images/fig30-settingspack.png and /dev/null differ
diff --git a/windows/configuration/images/fig32-deploywiz.png b/windows/configuration/images/fig32-deploywiz.png
deleted file mode 100644
index a1387b19d8..0000000000
Binary files a/windows/configuration/images/fig32-deploywiz.png and /dev/null differ
diff --git a/windows/configuration/images/fig4-oob-drivers.png b/windows/configuration/images/fig4-oob-drivers.png
deleted file mode 100644
index b1f6924665..0000000000
Binary files a/windows/configuration/images/fig4-oob-drivers.png and /dev/null differ
diff --git a/windows/configuration/images/fig5-selectprofile.png b/windows/configuration/images/fig5-selectprofile.png
deleted file mode 100644
index 452ab4f581..0000000000
Binary files a/windows/configuration/images/fig5-selectprofile.png and /dev/null differ
diff --git a/windows/configuration/images/fig6-taskseq.png b/windows/configuration/images/fig6-taskseq.png
deleted file mode 100644
index 8696cc04c4..0000000000
Binary files a/windows/configuration/images/fig6-taskseq.png and /dev/null differ
diff --git a/windows/configuration/images/fig8-cust-tasks.png b/windows/configuration/images/fig8-cust-tasks.png
deleted file mode 100644
index 378215ee2b..0000000000
Binary files a/windows/configuration/images/fig8-cust-tasks.png and /dev/null differ
diff --git a/windows/configuration/images/fig8-suspend.png b/windows/configuration/images/fig8-suspend.png
deleted file mode 100644
index 8094f01274..0000000000
Binary files a/windows/configuration/images/fig8-suspend.png and /dev/null differ
diff --git a/windows/configuration/images/fig9-resumetaskseq.png b/windows/configuration/images/fig9-resumetaskseq.png
deleted file mode 100644
index 0a83019f69..0000000000
Binary files a/windows/configuration/images/fig9-resumetaskseq.png and /dev/null differ
diff --git a/windows/configuration/images/figure4-deployment-workbench.png b/windows/configuration/images/figure4-deployment-workbench.png
deleted file mode 100644
index b5d0e7cc32..0000000000
Binary files a/windows/configuration/images/figure4-deployment-workbench.png and /dev/null differ
diff --git a/windows/configuration/images/finish-details-mobile.PNG b/windows/configuration/images/finish-details-mobile.PNG
deleted file mode 100644
index c25a6b4b2f..0000000000
Binary files a/windows/configuration/images/finish-details-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/finish-mobile.PNG b/windows/configuration/images/finish-mobile.PNG
deleted file mode 100644
index 336e24289e..0000000000
Binary files a/windows/configuration/images/finish-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/finish.PNG b/windows/configuration/images/finish.PNG
deleted file mode 100644
index 7c65da1799..0000000000
Binary files a/windows/configuration/images/finish.PNG and /dev/null differ
diff --git a/windows/configuration/images/five.png b/windows/configuration/images/five.png
deleted file mode 100644
index 961f0e15b7..0000000000
Binary files a/windows/configuration/images/five.png and /dev/null differ
diff --git a/windows/configuration/images/four.png b/windows/configuration/images/four.png
deleted file mode 100644
index 0fef213b37..0000000000
Binary files a/windows/configuration/images/four.png and /dev/null differ
diff --git a/windows/configuration/images/gp-branch.png b/windows/configuration/images/gp-branch.png
deleted file mode 100644
index 997bcc830a..0000000000
Binary files a/windows/configuration/images/gp-branch.png and /dev/null differ
diff --git a/windows/configuration/images/gp-exclude-drivers.png b/windows/configuration/images/gp-exclude-drivers.png
deleted file mode 100644
index 0010749139..0000000000
Binary files a/windows/configuration/images/gp-exclude-drivers.png and /dev/null differ
diff --git a/windows/configuration/images/gp-feature.png b/windows/configuration/images/gp-feature.png
deleted file mode 100644
index b862d545d4..0000000000
Binary files a/windows/configuration/images/gp-feature.png and /dev/null differ
diff --git a/windows/configuration/images/gp-quality.png b/windows/configuration/images/gp-quality.png
deleted file mode 100644
index d7ff30172d..0000000000
Binary files a/windows/configuration/images/gp-quality.png and /dev/null differ
diff --git a/windows/configuration/images/hyper-v-feature.png b/windows/configuration/images/hyper-v-feature.png
deleted file mode 100644
index d7293d808e..0000000000
Binary files a/windows/configuration/images/hyper-v-feature.png and /dev/null differ
diff --git a/windows/configuration/images/icd-adv-shared-pc.PNG b/windows/configuration/images/icd-adv-shared-pc.PNG
deleted file mode 100644
index a8da5fa78a..0000000000
Binary files a/windows/configuration/images/icd-adv-shared-pc.PNG and /dev/null differ
diff --git a/windows/configuration/images/icd-create-options.PNG b/windows/configuration/images/icd-create-options.PNG
deleted file mode 100644
index e61cdd8fc0..0000000000
Binary files a/windows/configuration/images/icd-create-options.PNG and /dev/null differ
diff --git a/windows/configuration/images/icd-install.PNG b/windows/configuration/images/icd-install.PNG
deleted file mode 100644
index a0c80683ff..0000000000
Binary files a/windows/configuration/images/icd-install.PNG and /dev/null differ
diff --git a/windows/configuration/images/icd-school.PNG b/windows/configuration/images/icd-school.PNG
deleted file mode 100644
index e6a944a193..0000000000
Binary files a/windows/configuration/images/icd-school.PNG and /dev/null differ
diff --git a/windows/configuration/images/icd-settings.PNG b/windows/configuration/images/icd-settings.PNG
deleted file mode 100644
index 8d3ebc3ff6..0000000000
Binary files a/windows/configuration/images/icd-settings.PNG and /dev/null differ
diff --git a/windows/configuration/images/icd-simple.PNG b/windows/configuration/images/icd-simple.PNG
deleted file mode 100644
index 7ae8a1728b..0000000000
Binary files a/windows/configuration/images/icd-simple.PNG and /dev/null differ
diff --git a/windows/configuration/images/icdbrowse.png b/windows/configuration/images/icdbrowse.png
deleted file mode 100644
index 53c91074c7..0000000000
Binary files a/windows/configuration/images/icdbrowse.png and /dev/null differ
diff --git a/windows/configuration/images/icons/accessibility.svg b/windows/configuration/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/configuration/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/configuration/images/icons/group-policy.svg b/windows/configuration/images/icons/group-policy.svg
deleted file mode 100644
index ace95add6b..0000000000
--- a/windows/configuration/images/icons/group-policy.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/configuration/images/icons/registry.svg b/windows/configuration/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/configuration/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/configuration/images/icons/windows-os.svg b/windows/configuration/images/icons/windows-os.svg
deleted file mode 100644
index da64baf975..0000000000
--- a/windows/configuration/images/icons/windows-os.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-
\ No newline at end of file
diff --git a/windows/configuration/images/identitychoices.png b/windows/configuration/images/identitychoices.png
deleted file mode 100644
index 9a69c04f20..0000000000
Binary files a/windows/configuration/images/identitychoices.png and /dev/null differ
diff --git a/windows/configuration/images/image.PNG b/windows/configuration/images/image.PNG
deleted file mode 100644
index 0bbadcb68f..0000000000
Binary files a/windows/configuration/images/image.PNG and /dev/null differ
diff --git a/windows/configuration/images/installing-drivers.png b/windows/configuration/images/installing-drivers.png
deleted file mode 100644
index 22d7808fad..0000000000
Binary files a/windows/configuration/images/installing-drivers.png and /dev/null differ
diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG
deleted file mode 100644
index 2cbe25c6a5..0000000000
Binary files a/windows/configuration/images/kiosk-intune.PNG and /dev/null differ
diff --git a/windows/configuration/images/launchicon.png b/windows/configuration/images/launchicon.png
deleted file mode 100644
index d469c68a2c..0000000000
Binary files a/windows/configuration/images/launchicon.png and /dev/null differ
diff --git a/windows/configuration/images/ld-apps.PNG b/windows/configuration/images/ld-apps.PNG
deleted file mode 100644
index ef65ff9a52..0000000000
Binary files a/windows/configuration/images/ld-apps.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-buttons.PNG b/windows/configuration/images/ld-buttons.PNG
deleted file mode 100644
index d89eff3b35..0000000000
Binary files a/windows/configuration/images/ld-buttons.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-connect.PNG b/windows/configuration/images/ld-connect.PNG
deleted file mode 100644
index 15094b0e2b..0000000000
Binary files a/windows/configuration/images/ld-connect.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-csp.PNG b/windows/configuration/images/ld-csp.PNG
deleted file mode 100644
index 6d7caa5163..0000000000
Binary files a/windows/configuration/images/ld-csp.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-export.PNG b/windows/configuration/images/ld-export.PNG
deleted file mode 100644
index 970e5939bc..0000000000
Binary files a/windows/configuration/images/ld-export.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-other.PNG b/windows/configuration/images/ld-other.PNG
deleted file mode 100644
index c8b5f7518a..0000000000
Binary files a/windows/configuration/images/ld-other.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-pair.PNG b/windows/configuration/images/ld-pair.PNG
deleted file mode 100644
index 0859810e73..0000000000
Binary files a/windows/configuration/images/ld-pair.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-quick.PNG b/windows/configuration/images/ld-quick.PNG
deleted file mode 100644
index 63a6173103..0000000000
Binary files a/windows/configuration/images/ld-quick.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-role.PNG b/windows/configuration/images/ld-role.PNG
deleted file mode 100644
index b229af1a17..0000000000
Binary files a/windows/configuration/images/ld-role.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-settings.PNG b/windows/configuration/images/ld-settings.PNG
deleted file mode 100644
index eb6a37d925..0000000000
Binary files a/windows/configuration/images/ld-settings.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-start.PNG b/windows/configuration/images/ld-start.PNG
deleted file mode 100644
index 4081f3e1e2..0000000000
Binary files a/windows/configuration/images/ld-start.PNG and /dev/null differ
diff --git a/windows/configuration/images/ld-sync.PNG b/windows/configuration/images/ld-sync.PNG
deleted file mode 100644
index 3f54d910ac..0000000000
Binary files a/windows/configuration/images/ld-sync.PNG and /dev/null differ
diff --git a/windows/configuration/images/ldstore.PNG b/windows/configuration/images/ldstore.PNG
deleted file mode 100644
index 63f0eedee7..0000000000
Binary files a/windows/configuration/images/ldstore.PNG and /dev/null differ
diff --git a/windows/configuration/images/license-terms.png b/windows/configuration/images/license-terms.png
deleted file mode 100644
index 8dd34b0a18..0000000000
Binary files a/windows/configuration/images/license-terms.png and /dev/null differ
diff --git a/windows/configuration/images/lily.jpg b/windows/configuration/images/lily.jpg
deleted file mode 100644
index eb144d1f2b..0000000000
Binary files a/windows/configuration/images/lily.jpg and /dev/null differ
diff --git a/windows/configuration/images/mdm-diag-report-powershell.PNG b/windows/configuration/images/mdm-diag-report-powershell.PNG
deleted file mode 100644
index 86f5b49211..0000000000
Binary files a/windows/configuration/images/mdm-diag-report-powershell.PNG and /dev/null differ
diff --git a/windows/configuration/images/mdm.png b/windows/configuration/images/mdm.png
deleted file mode 100644
index 8ebcc00526..0000000000
Binary files a/windows/configuration/images/mdm.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-01-fig01.png b/windows/configuration/images/mdt-01-fig01.png
deleted file mode 100644
index d7f8c4e452..0000000000
Binary files a/windows/configuration/images/mdt-01-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-01-fig02.jpg b/windows/configuration/images/mdt-01-fig02.jpg
deleted file mode 100644
index 1533bdd336..0000000000
Binary files a/windows/configuration/images/mdt-01-fig02.jpg and /dev/null differ
diff --git a/windows/configuration/images/mdt-03-fig01.png b/windows/configuration/images/mdt-03-fig01.png
deleted file mode 100644
index fc68fb0c25..0000000000
Binary files a/windows/configuration/images/mdt-03-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-03-fig02.png b/windows/configuration/images/mdt-03-fig02.png
deleted file mode 100644
index d0fd979449..0000000000
Binary files a/windows/configuration/images/mdt-03-fig02.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-03-fig03.png b/windows/configuration/images/mdt-03-fig03.png
deleted file mode 100644
index ba1de39aa0..0000000000
Binary files a/windows/configuration/images/mdt-03-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-03-fig04.png b/windows/configuration/images/mdt-03-fig04.png
deleted file mode 100644
index 26600a2036..0000000000
Binary files a/windows/configuration/images/mdt-03-fig04.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-03-fig05.png b/windows/configuration/images/mdt-03-fig05.png
deleted file mode 100644
index 9c44837022..0000000000
Binary files a/windows/configuration/images/mdt-03-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-04-fig01.png b/windows/configuration/images/mdt-04-fig01.png
deleted file mode 100644
index 8a90c1a934..0000000000
Binary files a/windows/configuration/images/mdt-04-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig01.png b/windows/configuration/images/mdt-05-fig01.png
deleted file mode 100644
index 490f1579d9..0000000000
Binary files a/windows/configuration/images/mdt-05-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig02.png b/windows/configuration/images/mdt-05-fig02.png
deleted file mode 100644
index 1223432581..0000000000
Binary files a/windows/configuration/images/mdt-05-fig02.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig03.png b/windows/configuration/images/mdt-05-fig03.png
deleted file mode 100644
index a0ffbec429..0000000000
Binary files a/windows/configuration/images/mdt-05-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig04.png b/windows/configuration/images/mdt-05-fig04.png
deleted file mode 100644
index 778cbae1b7..0000000000
Binary files a/windows/configuration/images/mdt-05-fig04.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig05.png b/windows/configuration/images/mdt-05-fig05.png
deleted file mode 100644
index e172a29754..0000000000
Binary files a/windows/configuration/images/mdt-05-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig07.png b/windows/configuration/images/mdt-05-fig07.png
deleted file mode 100644
index 135a2367c1..0000000000
Binary files a/windows/configuration/images/mdt-05-fig07.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig08.png b/windows/configuration/images/mdt-05-fig08.png
deleted file mode 100644
index 1f4534e89b..0000000000
Binary files a/windows/configuration/images/mdt-05-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig09.png b/windows/configuration/images/mdt-05-fig09.png
deleted file mode 100644
index a3d0155096..0000000000
Binary files a/windows/configuration/images/mdt-05-fig09.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-05-fig10.png b/windows/configuration/images/mdt-05-fig10.png
deleted file mode 100644
index 576da23ea6..0000000000
Binary files a/windows/configuration/images/mdt-05-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig01.png b/windows/configuration/images/mdt-06-fig01.png
deleted file mode 100644
index 466cfda0f4..0000000000
Binary files a/windows/configuration/images/mdt-06-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig03.png b/windows/configuration/images/mdt-06-fig03.png
deleted file mode 100644
index 9d2786e46a..0000000000
Binary files a/windows/configuration/images/mdt-06-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig04.png b/windows/configuration/images/mdt-06-fig04.png
deleted file mode 100644
index 216e1f371b..0000000000
Binary files a/windows/configuration/images/mdt-06-fig04.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig05.png b/windows/configuration/images/mdt-06-fig05.png
deleted file mode 100644
index 3af74bb5ee..0000000000
Binary files a/windows/configuration/images/mdt-06-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig06.png b/windows/configuration/images/mdt-06-fig06.png
deleted file mode 100644
index 324c8960c1..0000000000
Binary files a/windows/configuration/images/mdt-06-fig06.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig07.png b/windows/configuration/images/mdt-06-fig07.png
deleted file mode 100644
index 399fac75f6..0000000000
Binary files a/windows/configuration/images/mdt-06-fig07.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig08.png b/windows/configuration/images/mdt-06-fig08.png
deleted file mode 100644
index 33cb90327a..0000000000
Binary files a/windows/configuration/images/mdt-06-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig10.png b/windows/configuration/images/mdt-06-fig10.png
deleted file mode 100644
index 1d92505b96..0000000000
Binary files a/windows/configuration/images/mdt-06-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig12.png b/windows/configuration/images/mdt-06-fig12.png
deleted file mode 100644
index f33eca6174..0000000000
Binary files a/windows/configuration/images/mdt-06-fig12.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig13.png b/windows/configuration/images/mdt-06-fig13.png
deleted file mode 100644
index ab578f69fe..0000000000
Binary files a/windows/configuration/images/mdt-06-fig13.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig14.png b/windows/configuration/images/mdt-06-fig14.png
deleted file mode 100644
index 13158231fd..0000000000
Binary files a/windows/configuration/images/mdt-06-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig15.png b/windows/configuration/images/mdt-06-fig15.png
deleted file mode 100644
index 2f1a0eba18..0000000000
Binary files a/windows/configuration/images/mdt-06-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig16.png b/windows/configuration/images/mdt-06-fig16.png
deleted file mode 100644
index 40cb46adbd..0000000000
Binary files a/windows/configuration/images/mdt-06-fig16.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig20.png b/windows/configuration/images/mdt-06-fig20.png
deleted file mode 100644
index 475fad7597..0000000000
Binary files a/windows/configuration/images/mdt-06-fig20.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig21.png b/windows/configuration/images/mdt-06-fig21.png
deleted file mode 100644
index 7cbd1d20bc..0000000000
Binary files a/windows/configuration/images/mdt-06-fig21.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig26.png b/windows/configuration/images/mdt-06-fig26.png
deleted file mode 100644
index fc56839b14..0000000000
Binary files a/windows/configuration/images/mdt-06-fig26.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig31.png b/windows/configuration/images/mdt-06-fig31.png
deleted file mode 100644
index 5e98d623b1..0000000000
Binary files a/windows/configuration/images/mdt-06-fig31.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig33.png b/windows/configuration/images/mdt-06-fig33.png
deleted file mode 100644
index 18ae4c82dd..0000000000
Binary files a/windows/configuration/images/mdt-06-fig33.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig35.png b/windows/configuration/images/mdt-06-fig35.png
deleted file mode 100644
index a68750925d..0000000000
Binary files a/windows/configuration/images/mdt-06-fig35.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig36.png b/windows/configuration/images/mdt-06-fig36.png
deleted file mode 100644
index a8350244bd..0000000000
Binary files a/windows/configuration/images/mdt-06-fig36.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig37.png b/windows/configuration/images/mdt-06-fig37.png
deleted file mode 100644
index 5a89f2f431..0000000000
Binary files a/windows/configuration/images/mdt-06-fig37.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig39.png b/windows/configuration/images/mdt-06-fig39.png
deleted file mode 100644
index 650aec9a30..0000000000
Binary files a/windows/configuration/images/mdt-06-fig39.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig42.png b/windows/configuration/images/mdt-06-fig42.png
deleted file mode 100644
index 12b0e6817a..0000000000
Binary files a/windows/configuration/images/mdt-06-fig42.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-06-fig43.png b/windows/configuration/images/mdt-06-fig43.png
deleted file mode 100644
index 015edd21e3..0000000000
Binary files a/windows/configuration/images/mdt-06-fig43.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig01.png b/windows/configuration/images/mdt-07-fig01.png
deleted file mode 100644
index b2ccfec334..0000000000
Binary files a/windows/configuration/images/mdt-07-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig03.png b/windows/configuration/images/mdt-07-fig03.png
deleted file mode 100644
index c178d6a15d..0000000000
Binary files a/windows/configuration/images/mdt-07-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig08.png b/windows/configuration/images/mdt-07-fig08.png
deleted file mode 100644
index 66e2969916..0000000000
Binary files a/windows/configuration/images/mdt-07-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig09.png b/windows/configuration/images/mdt-07-fig09.png
deleted file mode 100644
index ce320427ee..0000000000
Binary files a/windows/configuration/images/mdt-07-fig09.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig10.png b/windows/configuration/images/mdt-07-fig10.png
deleted file mode 100644
index 7aff3c2d76..0000000000
Binary files a/windows/configuration/images/mdt-07-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig11.png b/windows/configuration/images/mdt-07-fig11.png
deleted file mode 100644
index 905f8bd572..0000000000
Binary files a/windows/configuration/images/mdt-07-fig11.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig13.png b/windows/configuration/images/mdt-07-fig13.png
deleted file mode 100644
index 849949a2f2..0000000000
Binary files a/windows/configuration/images/mdt-07-fig13.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig14.png b/windows/configuration/images/mdt-07-fig14.png
deleted file mode 100644
index cfe7843eeb..0000000000
Binary files a/windows/configuration/images/mdt-07-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig15.png b/windows/configuration/images/mdt-07-fig15.png
deleted file mode 100644
index 5271690c89..0000000000
Binary files a/windows/configuration/images/mdt-07-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-07-fig16.png b/windows/configuration/images/mdt-07-fig16.png
deleted file mode 100644
index 80e0925a40..0000000000
Binary files a/windows/configuration/images/mdt-07-fig16.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig01.png b/windows/configuration/images/mdt-08-fig01.png
deleted file mode 100644
index 7f795c42d4..0000000000
Binary files a/windows/configuration/images/mdt-08-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig02.png b/windows/configuration/images/mdt-08-fig02.png
deleted file mode 100644
index 50c97d8d0c..0000000000
Binary files a/windows/configuration/images/mdt-08-fig02.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig03.png b/windows/configuration/images/mdt-08-fig03.png
deleted file mode 100644
index e80b242192..0000000000
Binary files a/windows/configuration/images/mdt-08-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig05.png b/windows/configuration/images/mdt-08-fig05.png
deleted file mode 100644
index 62ae133bb8..0000000000
Binary files a/windows/configuration/images/mdt-08-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig06.png b/windows/configuration/images/mdt-08-fig06.png
deleted file mode 100644
index 97d83a20fb..0000000000
Binary files a/windows/configuration/images/mdt-08-fig06.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig14.png b/windows/configuration/images/mdt-08-fig14.png
deleted file mode 100644
index 21b358d1f8..0000000000
Binary files a/windows/configuration/images/mdt-08-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-08-fig15.png b/windows/configuration/images/mdt-08-fig15.png
deleted file mode 100644
index 2a8bc4252e..0000000000
Binary files a/windows/configuration/images/mdt-08-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig01.png b/windows/configuration/images/mdt-09-fig01.png
deleted file mode 100644
index 0549174435..0000000000
Binary files a/windows/configuration/images/mdt-09-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig02.png b/windows/configuration/images/mdt-09-fig02.png
deleted file mode 100644
index dd69922d80..0000000000
Binary files a/windows/configuration/images/mdt-09-fig02.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig03.png b/windows/configuration/images/mdt-09-fig03.png
deleted file mode 100644
index 56102b2031..0000000000
Binary files a/windows/configuration/images/mdt-09-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig04.png b/windows/configuration/images/mdt-09-fig04.png
deleted file mode 100644
index f123d85af5..0000000000
Binary files a/windows/configuration/images/mdt-09-fig04.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig06.png b/windows/configuration/images/mdt-09-fig06.png
deleted file mode 100644
index 49042d95f3..0000000000
Binary files a/windows/configuration/images/mdt-09-fig06.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig07.png b/windows/configuration/images/mdt-09-fig07.png
deleted file mode 100644
index 431f212f80..0000000000
Binary files a/windows/configuration/images/mdt-09-fig07.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig08.png b/windows/configuration/images/mdt-09-fig08.png
deleted file mode 100644
index c73ef398e4..0000000000
Binary files a/windows/configuration/images/mdt-09-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig09.png b/windows/configuration/images/mdt-09-fig09.png
deleted file mode 100644
index 14614aaa42..0000000000
Binary files a/windows/configuration/images/mdt-09-fig09.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig10.png b/windows/configuration/images/mdt-09-fig10.png
deleted file mode 100644
index c8dbe11eac..0000000000
Binary files a/windows/configuration/images/mdt-09-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig11.png b/windows/configuration/images/mdt-09-fig11.png
deleted file mode 100644
index dd38911dfc..0000000000
Binary files a/windows/configuration/images/mdt-09-fig11.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig12.png b/windows/configuration/images/mdt-09-fig12.png
deleted file mode 100644
index ed363ae01a..0000000000
Binary files a/windows/configuration/images/mdt-09-fig12.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig13.png b/windows/configuration/images/mdt-09-fig13.png
deleted file mode 100644
index 5155b0ecf0..0000000000
Binary files a/windows/configuration/images/mdt-09-fig13.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig14.png b/windows/configuration/images/mdt-09-fig14.png
deleted file mode 100644
index f294a8d69f..0000000000
Binary files a/windows/configuration/images/mdt-09-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig15.png b/windows/configuration/images/mdt-09-fig15.png
deleted file mode 100644
index f8de66afbd..0000000000
Binary files a/windows/configuration/images/mdt-09-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig16.png b/windows/configuration/images/mdt-09-fig16.png
deleted file mode 100644
index ad04b64077..0000000000
Binary files a/windows/configuration/images/mdt-09-fig16.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig17.png b/windows/configuration/images/mdt-09-fig17.png
deleted file mode 100644
index fe4503b950..0000000000
Binary files a/windows/configuration/images/mdt-09-fig17.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig18.png b/windows/configuration/images/mdt-09-fig18.png
deleted file mode 100644
index 4f087172d9..0000000000
Binary files a/windows/configuration/images/mdt-09-fig18.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig19.png b/windows/configuration/images/mdt-09-fig19.png
deleted file mode 100644
index 917444c811..0000000000
Binary files a/windows/configuration/images/mdt-09-fig19.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig20.png b/windows/configuration/images/mdt-09-fig20.png
deleted file mode 100644
index 6c2d1c4dba..0000000000
Binary files a/windows/configuration/images/mdt-09-fig20.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig21.png b/windows/configuration/images/mdt-09-fig21.png
deleted file mode 100644
index 628ea98ad9..0000000000
Binary files a/windows/configuration/images/mdt-09-fig21.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig22.png b/windows/configuration/images/mdt-09-fig22.png
deleted file mode 100644
index 9d71f62796..0000000000
Binary files a/windows/configuration/images/mdt-09-fig22.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig23.png b/windows/configuration/images/mdt-09-fig23.png
deleted file mode 100644
index 4cd29dc389..0000000000
Binary files a/windows/configuration/images/mdt-09-fig23.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig24.png b/windows/configuration/images/mdt-09-fig24.png
deleted file mode 100644
index 89cb67a048..0000000000
Binary files a/windows/configuration/images/mdt-09-fig24.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig25.png b/windows/configuration/images/mdt-09-fig25.png
deleted file mode 100644
index fb308c0be5..0000000000
Binary files a/windows/configuration/images/mdt-09-fig25.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig26.png b/windows/configuration/images/mdt-09-fig26.png
deleted file mode 100644
index 681c6516cd..0000000000
Binary files a/windows/configuration/images/mdt-09-fig26.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig27.png b/windows/configuration/images/mdt-09-fig27.png
deleted file mode 100644
index 396290346d..0000000000
Binary files a/windows/configuration/images/mdt-09-fig27.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig28.png b/windows/configuration/images/mdt-09-fig28.png
deleted file mode 100644
index d36dda43fa..0000000000
Binary files a/windows/configuration/images/mdt-09-fig28.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig29.png b/windows/configuration/images/mdt-09-fig29.png
deleted file mode 100644
index 404842d49c..0000000000
Binary files a/windows/configuration/images/mdt-09-fig29.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig30.png b/windows/configuration/images/mdt-09-fig30.png
deleted file mode 100644
index be962f40ec..0000000000
Binary files a/windows/configuration/images/mdt-09-fig30.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig31.png b/windows/configuration/images/mdt-09-fig31.png
deleted file mode 100644
index a40aa9d3bb..0000000000
Binary files a/windows/configuration/images/mdt-09-fig31.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-09-fig32.png b/windows/configuration/images/mdt-09-fig32.png
deleted file mode 100644
index 446812a3e8..0000000000
Binary files a/windows/configuration/images/mdt-09-fig32.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig01.png b/windows/configuration/images/mdt-10-fig01.png
deleted file mode 100644
index 8a3ebd9711..0000000000
Binary files a/windows/configuration/images/mdt-10-fig01.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig02.png b/windows/configuration/images/mdt-10-fig02.png
deleted file mode 100644
index d9e5930152..0000000000
Binary files a/windows/configuration/images/mdt-10-fig02.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig03.png b/windows/configuration/images/mdt-10-fig03.png
deleted file mode 100644
index f652db736c..0000000000
Binary files a/windows/configuration/images/mdt-10-fig03.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig04.png b/windows/configuration/images/mdt-10-fig04.png
deleted file mode 100644
index f98c0501df..0000000000
Binary files a/windows/configuration/images/mdt-10-fig04.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig05.png b/windows/configuration/images/mdt-10-fig05.png
deleted file mode 100644
index 64c0c4a6ee..0000000000
Binary files a/windows/configuration/images/mdt-10-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig06.png b/windows/configuration/images/mdt-10-fig06.png
deleted file mode 100644
index 91dc7c5c33..0000000000
Binary files a/windows/configuration/images/mdt-10-fig06.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig07.png b/windows/configuration/images/mdt-10-fig07.png
deleted file mode 100644
index 8613d905a4..0000000000
Binary files a/windows/configuration/images/mdt-10-fig07.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig08.png b/windows/configuration/images/mdt-10-fig08.png
deleted file mode 100644
index ee00637019..0000000000
Binary files a/windows/configuration/images/mdt-10-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-10-fig09.png b/windows/configuration/images/mdt-10-fig09.png
deleted file mode 100644
index ccdd05f34e..0000000000
Binary files a/windows/configuration/images/mdt-10-fig09.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig05.png b/windows/configuration/images/mdt-11-fig05.png
deleted file mode 100644
index b03c414fb8..0000000000
Binary files a/windows/configuration/images/mdt-11-fig05.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig06.png b/windows/configuration/images/mdt-11-fig06.png
deleted file mode 100644
index b5944d909e..0000000000
Binary files a/windows/configuration/images/mdt-11-fig06.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig07.png b/windows/configuration/images/mdt-11-fig07.png
deleted file mode 100644
index b80f0908ab..0000000000
Binary files a/windows/configuration/images/mdt-11-fig07.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig08.png b/windows/configuration/images/mdt-11-fig08.png
deleted file mode 100644
index 9c258bdd3e..0000000000
Binary files a/windows/configuration/images/mdt-11-fig08.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig09.png b/windows/configuration/images/mdt-11-fig09.png
deleted file mode 100644
index 49b3d0b88f..0000000000
Binary files a/windows/configuration/images/mdt-11-fig09.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig10.png b/windows/configuration/images/mdt-11-fig10.png
deleted file mode 100644
index e5c71225f7..0000000000
Binary files a/windows/configuration/images/mdt-11-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig11.png b/windows/configuration/images/mdt-11-fig11.png
deleted file mode 100644
index e3e2c70516..0000000000
Binary files a/windows/configuration/images/mdt-11-fig11.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig12.png b/windows/configuration/images/mdt-11-fig12.png
deleted file mode 100644
index 1e1a7888d6..0000000000
Binary files a/windows/configuration/images/mdt-11-fig12.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig13.png b/windows/configuration/images/mdt-11-fig13.png
deleted file mode 100644
index 36554c72a6..0000000000
Binary files a/windows/configuration/images/mdt-11-fig13.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig14.png b/windows/configuration/images/mdt-11-fig14.png
deleted file mode 100644
index 075d331bc1..0000000000
Binary files a/windows/configuration/images/mdt-11-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig15.png b/windows/configuration/images/mdt-11-fig15.png
deleted file mode 100644
index 302847c2a6..0000000000
Binary files a/windows/configuration/images/mdt-11-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/mdt-11-fig16.png b/windows/configuration/images/mdt-11-fig16.png
deleted file mode 100644
index 608c161797..0000000000
Binary files a/windows/configuration/images/mdt-11-fig16.png and /dev/null differ
diff --git a/windows/configuration/images/mobile-start-layout.png b/windows/configuration/images/mobile-start-layout.png
deleted file mode 100644
index d1055d6c87..0000000000
Binary files a/windows/configuration/images/mobile-start-layout.png and /dev/null differ
diff --git a/windows/configuration/images/nfc.png b/windows/configuration/images/nfc.png
deleted file mode 100644
index bfee563205..0000000000
Binary files a/windows/configuration/images/nfc.png and /dev/null differ
diff --git a/windows/configuration/images/oma-uri-shared-pc.png b/windows/configuration/images/oma-uri-shared-pc.png
deleted file mode 100644
index 68f9fa3b32..0000000000
Binary files a/windows/configuration/images/oma-uri-shared-pc.png and /dev/null differ
diff --git a/windows/configuration/images/one.png b/windows/configuration/images/one.png
deleted file mode 100644
index 7766e7d470..0000000000
Binary files a/windows/configuration/images/one.png and /dev/null differ
diff --git a/windows/configuration/images/package-trust.png b/windows/configuration/images/package-trust.png
deleted file mode 100644
index 4a996f23d5..0000000000
Binary files a/windows/configuration/images/package-trust.png and /dev/null differ
diff --git a/windows/configuration/images/packageaddfileandregistrydata-global.png b/windows/configuration/images/packageaddfileandregistrydata-global.png
deleted file mode 100644
index 775e290a36..0000000000
Binary files a/windows/configuration/images/packageaddfileandregistrydata-global.png and /dev/null differ
diff --git a/windows/configuration/images/packageaddfileandregistrydata-stream.png b/windows/configuration/images/packageaddfileandregistrydata-stream.png
deleted file mode 100644
index 0e1205c62b..0000000000
Binary files a/windows/configuration/images/packageaddfileandregistrydata-stream.png and /dev/null differ
diff --git a/windows/configuration/images/packageaddfileandregistrydata.png b/windows/configuration/images/packageaddfileandregistrydata.png
deleted file mode 100644
index 603420e627..0000000000
Binary files a/windows/configuration/images/packageaddfileandregistrydata.png and /dev/null differ
diff --git a/windows/configuration/images/packages-mobile.png b/windows/configuration/images/packages-mobile.png
deleted file mode 100644
index 4ce63dde78..0000000000
Binary files a/windows/configuration/images/packages-mobile.png and /dev/null differ
diff --git a/windows/configuration/images/phoneprovision.png b/windows/configuration/images/phoneprovision.png
deleted file mode 100644
index 01ada29ac9..0000000000
Binary files a/windows/configuration/images/phoneprovision.png and /dev/null differ
diff --git a/windows/configuration/images/powericon.png b/windows/configuration/images/powericon.png
deleted file mode 100644
index b497ff859d..0000000000
Binary files a/windows/configuration/images/powericon.png and /dev/null differ
diff --git a/windows/configuration/images/rdc.png b/windows/configuration/images/rdc.png
deleted file mode 100644
index e0ea9ef548..0000000000
Binary files a/windows/configuration/images/rdc.png and /dev/null differ
diff --git a/windows/configuration/images/rdp.png b/windows/configuration/images/rdp.png
deleted file mode 100644
index ac088d0b06..0000000000
Binary files a/windows/configuration/images/rdp.png and /dev/null differ
diff --git a/windows/configuration/images/resetdevice.png b/windows/configuration/images/resetdevice.png
deleted file mode 100644
index 4e265c3f8d..0000000000
Binary files a/windows/configuration/images/resetdevice.png and /dev/null differ
diff --git a/windows/configuration/images/scanos.PNG b/windows/configuration/images/scanos.PNG
deleted file mode 100644
index d53a272018..0000000000
Binary files a/windows/configuration/images/scanos.PNG and /dev/null differ
diff --git a/windows/configuration/images/sec-bios.png b/windows/configuration/images/sec-bios.png
deleted file mode 100644
index 4498497d59..0000000000
Binary files a/windows/configuration/images/sec-bios.png and /dev/null differ
diff --git a/windows/configuration/images/set-up-device-details-mobile.PNG b/windows/configuration/images/set-up-device-details-mobile.PNG
deleted file mode 100644
index f41fe99a72..0000000000
Binary files a/windows/configuration/images/set-up-device-details-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/set-up-device-mobile.PNG b/windows/configuration/images/set-up-device-mobile.PNG
deleted file mode 100644
index b8173385d4..0000000000
Binary files a/windows/configuration/images/set-up-device-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/set-up-device.PNG b/windows/configuration/images/set-up-device.PNG
deleted file mode 100644
index 0c9eb0e3ff..0000000000
Binary files a/windows/configuration/images/set-up-device.PNG and /dev/null differ
diff --git a/windows/configuration/images/set-up-network-details-mobile.PNG b/windows/configuration/images/set-up-network-details-mobile.PNG
deleted file mode 100644
index 8f515ba1f6..0000000000
Binary files a/windows/configuration/images/set-up-network-details-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/set-up-network-mobile.PNG b/windows/configuration/images/set-up-network-mobile.PNG
deleted file mode 100644
index 9442b33e90..0000000000
Binary files a/windows/configuration/images/set-up-network-mobile.PNG and /dev/null differ
diff --git a/windows/configuration/images/set-up-network.PNG b/windows/configuration/images/set-up-network.PNG
deleted file mode 100644
index a0e856c103..0000000000
Binary files a/windows/configuration/images/set-up-network.PNG and /dev/null differ
diff --git a/windows/configuration/images/settings-table.png b/windows/configuration/images/settings-table.png
deleted file mode 100644
index ada56513fc..0000000000
Binary files a/windows/configuration/images/settings-table.png and /dev/null differ
diff --git a/windows/configuration/images/settingsicon.png b/windows/configuration/images/settingsicon.png
deleted file mode 100644
index 0ad27fc558..0000000000
Binary files a/windows/configuration/images/settingsicon.png and /dev/null differ
diff --git a/windows/configuration/images/show-more-tiles.png b/windows/configuration/images/show-more-tiles.png
deleted file mode 100644
index 6922edeb4c..0000000000
Binary files a/windows/configuration/images/show-more-tiles.png and /dev/null differ
diff --git a/windows/configuration/images/sign-in-prov.png b/windows/configuration/images/sign-in-prov.png
deleted file mode 100644
index 55c9276203..0000000000
Binary files a/windows/configuration/images/sign-in-prov.png and /dev/null differ
diff --git a/windows/configuration/images/spotlight2.png b/windows/configuration/images/spotlight2.png
deleted file mode 100644
index 27401c1a2b..0000000000
Binary files a/windows/configuration/images/spotlight2.png and /dev/null differ
diff --git a/windows/configuration/images/start-screen-size.png b/windows/configuration/images/start-screen-size.png
deleted file mode 100644
index 6c09d960ef..0000000000
Binary files a/windows/configuration/images/start-screen-size.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-1.png b/windows/configuration/images/start-ts-1.png
deleted file mode 100644
index ca04fc7f77..0000000000
Binary files a/windows/configuration/images/start-ts-1.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-2.png b/windows/configuration/images/start-ts-2.png
deleted file mode 100644
index 56e1ff05d1..0000000000
Binary files a/windows/configuration/images/start-ts-2.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-3.png b/windows/configuration/images/start-ts-3.png
deleted file mode 100644
index e62bb90aa2..0000000000
Binary files a/windows/configuration/images/start-ts-3.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-4.png b/windows/configuration/images/start-ts-4.png
deleted file mode 100644
index 71316899fd..0000000000
Binary files a/windows/configuration/images/start-ts-4.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-5.jpg b/windows/configuration/images/start-ts-5.jpg
deleted file mode 100644
index 61292cac4b..0000000000
Binary files a/windows/configuration/images/start-ts-5.jpg and /dev/null differ
diff --git a/windows/configuration/images/start-ts-6.png b/windows/configuration/images/start-ts-6.png
deleted file mode 100644
index d124d38fed..0000000000
Binary files a/windows/configuration/images/start-ts-6.png and /dev/null differ
diff --git a/windows/configuration/images/start-ts-7.png b/windows/configuration/images/start-ts-7.png
deleted file mode 100644
index 0c85959912..0000000000
Binary files a/windows/configuration/images/start-ts-7.png and /dev/null differ
diff --git a/windows/configuration/images/starticon.png b/windows/configuration/images/starticon.png
deleted file mode 100644
index fa8cbdff10..0000000000
Binary files a/windows/configuration/images/starticon.png and /dev/null differ
diff --git a/windows/configuration/images/svr_mgr2.png b/windows/configuration/images/svr_mgr2.png
deleted file mode 100644
index dd2e6737c6..0000000000
Binary files a/windows/configuration/images/svr_mgr2.png and /dev/null differ
diff --git a/windows/configuration/images/sysprep-error.png b/windows/configuration/images/sysprep-error.png
deleted file mode 100644
index aa004efbb6..0000000000
Binary files a/windows/configuration/images/sysprep-error.png and /dev/null differ
diff --git a/windows/configuration/images/taskbar-blank.png b/windows/configuration/images/taskbar-blank.png
deleted file mode 100644
index 185027f2fd..0000000000
Binary files a/windows/configuration/images/taskbar-blank.png and /dev/null differ
diff --git a/windows/configuration/images/taskbarSTARTERBLANK.png b/windows/configuration/images/taskbarSTARTERBLANK.png
deleted file mode 100644
index e206bdc196..0000000000
Binary files a/windows/configuration/images/taskbarSTARTERBLANK.png and /dev/null differ
diff --git a/windows/configuration/images/three.png b/windows/configuration/images/three.png
deleted file mode 100644
index 887fa270d7..0000000000
Binary files a/windows/configuration/images/three.png and /dev/null differ
diff --git a/windows/configuration/images/twain.png b/windows/configuration/images/twain.png
deleted file mode 100644
index 53cd5eadc7..0000000000
Binary files a/windows/configuration/images/twain.png and /dev/null differ
diff --git a/windows/configuration/images/two.png b/windows/configuration/images/two.png
deleted file mode 100644
index b8c2d52eaf..0000000000
Binary files a/windows/configuration/images/two.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-01.png b/windows/configuration/images/ua-cg-01.png
deleted file mode 100644
index 4b41bd67ba..0000000000
Binary files a/windows/configuration/images/ua-cg-01.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-02.png b/windows/configuration/images/ua-cg-02.png
deleted file mode 100644
index 4cbfaf26d8..0000000000
Binary files a/windows/configuration/images/ua-cg-02.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-03.png b/windows/configuration/images/ua-cg-03.png
deleted file mode 100644
index cfad7911bb..0000000000
Binary files a/windows/configuration/images/ua-cg-03.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-04.png b/windows/configuration/images/ua-cg-04.png
deleted file mode 100644
index c818d15d02..0000000000
Binary files a/windows/configuration/images/ua-cg-04.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-05.png b/windows/configuration/images/ua-cg-05.png
deleted file mode 100644
index a8788f0eb9..0000000000
Binary files a/windows/configuration/images/ua-cg-05.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-06.png b/windows/configuration/images/ua-cg-06.png
deleted file mode 100644
index ed983c96c8..0000000000
Binary files a/windows/configuration/images/ua-cg-06.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-07.png b/windows/configuration/images/ua-cg-07.png
deleted file mode 100644
index 2aba43be53..0000000000
Binary files a/windows/configuration/images/ua-cg-07.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-08.png b/windows/configuration/images/ua-cg-08.png
deleted file mode 100644
index 4d7f924d76..0000000000
Binary files a/windows/configuration/images/ua-cg-08.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-09.png b/windows/configuration/images/ua-cg-09.png
deleted file mode 100644
index b9aa1cea41..0000000000
Binary files a/windows/configuration/images/ua-cg-09.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-10.png b/windows/configuration/images/ua-cg-10.png
deleted file mode 100644
index 54e222338d..0000000000
Binary files a/windows/configuration/images/ua-cg-10.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-11.png b/windows/configuration/images/ua-cg-11.png
deleted file mode 100644
index 4e930a5905..0000000000
Binary files a/windows/configuration/images/ua-cg-11.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-12.png b/windows/configuration/images/ua-cg-12.png
deleted file mode 100644
index 2fbe11b814..0000000000
Binary files a/windows/configuration/images/ua-cg-12.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-13.png b/windows/configuration/images/ua-cg-13.png
deleted file mode 100644
index f04252796e..0000000000
Binary files a/windows/configuration/images/ua-cg-13.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-14.png b/windows/configuration/images/ua-cg-14.png
deleted file mode 100644
index 6105fdf4d1..0000000000
Binary files a/windows/configuration/images/ua-cg-14.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-15.png b/windows/configuration/images/ua-cg-15.png
deleted file mode 100644
index 5362db66da..0000000000
Binary files a/windows/configuration/images/ua-cg-15.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-16.png b/windows/configuration/images/ua-cg-16.png
deleted file mode 100644
index 6d5b8a84b6..0000000000
Binary files a/windows/configuration/images/ua-cg-16.png and /dev/null differ
diff --git a/windows/configuration/images/ua-cg-17.png b/windows/configuration/images/ua-cg-17.png
deleted file mode 100644
index d66c41917b..0000000000
Binary files a/windows/configuration/images/ua-cg-17.png and /dev/null differ
diff --git a/windows/configuration/images/uc-01.png b/windows/configuration/images/uc-01.png
deleted file mode 100644
index 7f4df9f6d7..0000000000
Binary files a/windows/configuration/images/uc-01.png and /dev/null differ
diff --git a/windows/configuration/images/uc-02.png b/windows/configuration/images/uc-02.png
deleted file mode 100644
index 8317f051c3..0000000000
Binary files a/windows/configuration/images/uc-02.png and /dev/null differ
diff --git a/windows/configuration/images/uc-02a.png b/windows/configuration/images/uc-02a.png
deleted file mode 100644
index d12544e3a0..0000000000
Binary files a/windows/configuration/images/uc-02a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-03.png b/windows/configuration/images/uc-03.png
deleted file mode 100644
index 58494c4128..0000000000
Binary files a/windows/configuration/images/uc-03.png and /dev/null differ
diff --git a/windows/configuration/images/uc-03a.png b/windows/configuration/images/uc-03a.png
deleted file mode 100644
index 39412fc8f3..0000000000
Binary files a/windows/configuration/images/uc-03a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-04.png b/windows/configuration/images/uc-04.png
deleted file mode 100644
index ef9a37d379..0000000000
Binary files a/windows/configuration/images/uc-04.png and /dev/null differ
diff --git a/windows/configuration/images/uc-04a.png b/windows/configuration/images/uc-04a.png
deleted file mode 100644
index 537d4bbe72..0000000000
Binary files a/windows/configuration/images/uc-04a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-05.png b/windows/configuration/images/uc-05.png
deleted file mode 100644
index 21c8e9f9e0..0000000000
Binary files a/windows/configuration/images/uc-05.png and /dev/null differ
diff --git a/windows/configuration/images/uc-05a.png b/windows/configuration/images/uc-05a.png
deleted file mode 100644
index 2271181622..0000000000
Binary files a/windows/configuration/images/uc-05a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-06.png b/windows/configuration/images/uc-06.png
deleted file mode 100644
index 03a559800b..0000000000
Binary files a/windows/configuration/images/uc-06.png and /dev/null differ
diff --git a/windows/configuration/images/uc-06a.png b/windows/configuration/images/uc-06a.png
deleted file mode 100644
index 15df1cfea0..0000000000
Binary files a/windows/configuration/images/uc-06a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-07.png b/windows/configuration/images/uc-07.png
deleted file mode 100644
index de1ae35e82..0000000000
Binary files a/windows/configuration/images/uc-07.png and /dev/null differ
diff --git a/windows/configuration/images/uc-07a.png b/windows/configuration/images/uc-07a.png
deleted file mode 100644
index c0f2d9fd73..0000000000
Binary files a/windows/configuration/images/uc-07a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-08.png b/windows/configuration/images/uc-08.png
deleted file mode 100644
index 877fcd64c0..0000000000
Binary files a/windows/configuration/images/uc-08.png and /dev/null differ
diff --git a/windows/configuration/images/uc-08a.png b/windows/configuration/images/uc-08a.png
deleted file mode 100644
index 89da287d3d..0000000000
Binary files a/windows/configuration/images/uc-08a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-09.png b/windows/configuration/images/uc-09.png
deleted file mode 100644
index 37d7114f19..0000000000
Binary files a/windows/configuration/images/uc-09.png and /dev/null differ
diff --git a/windows/configuration/images/uc-09a.png b/windows/configuration/images/uc-09a.png
deleted file mode 100644
index f6b6ec5b60..0000000000
Binary files a/windows/configuration/images/uc-09a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-10.png b/windows/configuration/images/uc-10.png
deleted file mode 100644
index 3ab72d10d2..0000000000
Binary files a/windows/configuration/images/uc-10.png and /dev/null differ
diff --git a/windows/configuration/images/uc-10a.png b/windows/configuration/images/uc-10a.png
deleted file mode 100644
index 1c6b8b01dc..0000000000
Binary files a/windows/configuration/images/uc-10a.png and /dev/null differ
diff --git a/windows/configuration/images/uc-11.png b/windows/configuration/images/uc-11.png
deleted file mode 100644
index 8b4fc568ea..0000000000
Binary files a/windows/configuration/images/uc-11.png and /dev/null differ
diff --git a/windows/configuration/images/uc-12.png b/windows/configuration/images/uc-12.png
deleted file mode 100644
index 4198684c99..0000000000
Binary files a/windows/configuration/images/uc-12.png and /dev/null differ
diff --git a/windows/configuration/images/uc-13.png b/windows/configuration/images/uc-13.png
deleted file mode 100644
index 117f9b9fd8..0000000000
Binary files a/windows/configuration/images/uc-13.png and /dev/null differ
diff --git a/windows/configuration/images/uc-14.png b/windows/configuration/images/uc-14.png
deleted file mode 100644
index 66047984e7..0000000000
Binary files a/windows/configuration/images/uc-14.png and /dev/null differ
diff --git a/windows/configuration/images/uc-15.png b/windows/configuration/images/uc-15.png
deleted file mode 100644
index c241cd9117..0000000000
Binary files a/windows/configuration/images/uc-15.png and /dev/null differ
diff --git a/windows/configuration/images/uc-16.png b/windows/configuration/images/uc-16.png
deleted file mode 100644
index e7aff4d4ed..0000000000
Binary files a/windows/configuration/images/uc-16.png and /dev/null differ
diff --git a/windows/configuration/images/uc-17.png b/windows/configuration/images/uc-17.png
deleted file mode 100644
index cb8e42ca5e..0000000000
Binary files a/windows/configuration/images/uc-17.png and /dev/null differ
diff --git a/windows/configuration/images/uc-18.png b/windows/configuration/images/uc-18.png
deleted file mode 100644
index 5eff59adc9..0000000000
Binary files a/windows/configuration/images/uc-18.png and /dev/null differ
diff --git a/windows/configuration/images/uc-19.png b/windows/configuration/images/uc-19.png
deleted file mode 100644
index 791900eafc..0000000000
Binary files a/windows/configuration/images/uc-19.png and /dev/null differ
diff --git a/windows/configuration/images/uc-20.png b/windows/configuration/images/uc-20.png
deleted file mode 100644
index 7dbb027b9f..0000000000
Binary files a/windows/configuration/images/uc-20.png and /dev/null differ
diff --git a/windows/configuration/images/uc-21.png b/windows/configuration/images/uc-21.png
deleted file mode 100644
index 418db41fe4..0000000000
Binary files a/windows/configuration/images/uc-21.png and /dev/null differ
diff --git a/windows/configuration/images/uc-22.png b/windows/configuration/images/uc-22.png
deleted file mode 100644
index 2ca5c47a61..0000000000
Binary files a/windows/configuration/images/uc-22.png and /dev/null differ
diff --git a/windows/configuration/images/uc-23.png b/windows/configuration/images/uc-23.png
deleted file mode 100644
index 58b82db82d..0000000000
Binary files a/windows/configuration/images/uc-23.png and /dev/null differ
diff --git a/windows/configuration/images/uc-24.png b/windows/configuration/images/uc-24.png
deleted file mode 100644
index 00bc61e3e1..0000000000
Binary files a/windows/configuration/images/uc-24.png and /dev/null differ
diff --git a/windows/configuration/images/uc-25.png b/windows/configuration/images/uc-25.png
deleted file mode 100644
index 4e0f0bdb03..0000000000
Binary files a/windows/configuration/images/uc-25.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-apps-known-issues.png b/windows/configuration/images/upgrade-analytics-apps-known-issues.png
deleted file mode 100644
index ec99ac92cf..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-apps-known-issues.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-apps-no-known-issues.png b/windows/configuration/images/upgrade-analytics-apps-no-known-issues.png
deleted file mode 100644
index 9fb09ffd65..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-apps-no-known-issues.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-architecture.png b/windows/configuration/images/upgrade-analytics-architecture.png
deleted file mode 100644
index 93d3acba0b..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-architecture.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-create-iedataoptin.png b/windows/configuration/images/upgrade-analytics-create-iedataoptin.png
deleted file mode 100644
index 60f5ccbc90..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-create-iedataoptin.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-deploy-eligible.png b/windows/configuration/images/upgrade-analytics-deploy-eligible.png
deleted file mode 100644
index 8da91cebc4..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-deploy-eligible.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-drivers-known.png b/windows/configuration/images/upgrade-analytics-drivers-known.png
deleted file mode 100644
index 35d61f87c7..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-drivers-known.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-most-active-sites.png b/windows/configuration/images/upgrade-analytics-most-active-sites.png
deleted file mode 100644
index 180c5ddced..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-most-active-sites.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-namepub-rollup.PNG b/windows/configuration/images/upgrade-analytics-namepub-rollup.PNG
deleted file mode 100644
index 2041f14fd4..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-namepub-rollup.PNG and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-overview.png b/windows/configuration/images/upgrade-analytics-overview.png
deleted file mode 100644
index ba02ee0a8c..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-overview.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-pilot.png b/windows/configuration/images/upgrade-analytics-pilot.png
deleted file mode 100644
index 1c1de328ea..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-pilot.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-prioritize.png b/windows/configuration/images/upgrade-analytics-prioritize.png
deleted file mode 100644
index d6227694c1..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-prioritize.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-query-activex-name.png b/windows/configuration/images/upgrade-analytics-query-activex-name.png
deleted file mode 100644
index 5068e7d20e..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-query-activex-name.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/configuration/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG
deleted file mode 100644
index 4d22cc9353..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/configuration/images/upgrade-analytics-ready-for-windows-status.PNG
deleted file mode 100644
index c233db2340..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-ready-for-windows-status.PNG and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/configuration/images/upgrade-analytics-site-activity-by-doc-mode.png
deleted file mode 100644
index d1a46f1791..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-site-activity-by-doc-mode.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-site-domain-detail.png b/windows/configuration/images/upgrade-analytics-site-domain-detail.png
deleted file mode 100644
index 15a7ee20c4..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-site-domain-detail.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-telemetry.png b/windows/configuration/images/upgrade-analytics-telemetry.png
deleted file mode 100644
index bf60935616..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-telemetry.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-analytics-unsubscribe.png b/windows/configuration/images/upgrade-analytics-unsubscribe.png
deleted file mode 100644
index 402db94d6f..0000000000
Binary files a/windows/configuration/images/upgrade-analytics-unsubscribe.png and /dev/null differ
diff --git a/windows/configuration/images/upgrade-process.png b/windows/configuration/images/upgrade-process.png
deleted file mode 100644
index b2b77708fc..0000000000
Binary files a/windows/configuration/images/upgrade-process.png and /dev/null differ
diff --git a/windows/configuration/images/upgradecfg-fig2-upgrading.png b/windows/configuration/images/upgradecfg-fig2-upgrading.png
deleted file mode 100644
index c53de79c29..0000000000
Binary files a/windows/configuration/images/upgradecfg-fig2-upgrading.png and /dev/null differ
diff --git a/windows/configuration/images/upgradecfg-fig3-upgrade.png b/windows/configuration/images/upgradecfg-fig3-upgrade.png
deleted file mode 100644
index d0c1ceaaf9..0000000000
Binary files a/windows/configuration/images/upgradecfg-fig3-upgrade.png and /dev/null differ
diff --git a/windows/configuration/images/upgrademdt-fig1-machines.png b/windows/configuration/images/upgrademdt-fig1-machines.png
deleted file mode 100644
index 38129332e6..0000000000
Binary files a/windows/configuration/images/upgrademdt-fig1-machines.png and /dev/null differ
diff --git a/windows/configuration/images/upgrademdt-fig2-importedos.png b/windows/configuration/images/upgrademdt-fig2-importedos.png
deleted file mode 100644
index 93b92efd93..0000000000
Binary files a/windows/configuration/images/upgrademdt-fig2-importedos.png and /dev/null differ
diff --git a/windows/configuration/images/upgrademdt-fig3-tasksequence.png b/windows/configuration/images/upgrademdt-fig3-tasksequence.png
deleted file mode 100644
index 1ad66c2098..0000000000
Binary files a/windows/configuration/images/upgrademdt-fig3-tasksequence.png and /dev/null differ
diff --git a/windows/configuration/images/upgrademdt-fig4-selecttask.png b/windows/configuration/images/upgrademdt-fig4-selecttask.png
deleted file mode 100644
index dcbc73871a..0000000000
Binary files a/windows/configuration/images/upgrademdt-fig4-selecttask.png and /dev/null differ
diff --git a/windows/configuration/images/upgrademdt-fig5-winupgrade.png b/windows/configuration/images/upgrademdt-fig5-winupgrade.png
deleted file mode 100644
index f3bc05508a..0000000000
Binary files a/windows/configuration/images/upgrademdt-fig5-winupgrade.png and /dev/null differ
diff --git a/windows/configuration/images/uwp-dependencies.PNG b/windows/configuration/images/uwp-dependencies.PNG
deleted file mode 100644
index 4e2563169f..0000000000
Binary files a/windows/configuration/images/uwp-dependencies.PNG and /dev/null differ
diff --git a/windows/configuration/images/uwp-family.PNG b/windows/configuration/images/uwp-family.PNG
deleted file mode 100644
index bec731eec4..0000000000
Binary files a/windows/configuration/images/uwp-family.PNG and /dev/null differ
diff --git a/windows/configuration/images/uwp-license.PNG b/windows/configuration/images/uwp-license.PNG
deleted file mode 100644
index ccb5cf7cf4..0000000000
Binary files a/windows/configuration/images/uwp-license.PNG and /dev/null differ
diff --git a/windows/configuration/images/vamtuserinterfaceupdated.jpg b/windows/configuration/images/vamtuserinterfaceupdated.jpg
deleted file mode 100644
index 32ce362c60..0000000000
Binary files a/windows/configuration/images/vamtuserinterfaceupdated.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-01.jpg b/windows/configuration/images/volumeactivationforwindows81-01.jpg
deleted file mode 100644
index f6042a82a9..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-01.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-02.jpg b/windows/configuration/images/volumeactivationforwindows81-02.jpg
deleted file mode 100644
index 630d9a03e2..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-02.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-03.jpg b/windows/configuration/images/volumeactivationforwindows81-03.jpg
deleted file mode 100644
index 27962b207c..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-03.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-04.jpg b/windows/configuration/images/volumeactivationforwindows81-04.jpg
deleted file mode 100644
index d5b572f1aa..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-04.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-05.jpg b/windows/configuration/images/volumeactivationforwindows81-05.jpg
deleted file mode 100644
index a4bd9776ac..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-05.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-06.jpg b/windows/configuration/images/volumeactivationforwindows81-06.jpg
deleted file mode 100644
index c29a628b05..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-06.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-07.jpg b/windows/configuration/images/volumeactivationforwindows81-07.jpg
deleted file mode 100644
index 346cbaa5c1..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-07.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-08.jpg b/windows/configuration/images/volumeactivationforwindows81-08.jpg
deleted file mode 100644
index eff421d6bb..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-08.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-09.jpg b/windows/configuration/images/volumeactivationforwindows81-09.jpg
deleted file mode 100644
index 1e3cf9c0d8..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-09.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-10.jpg b/windows/configuration/images/volumeactivationforwindows81-10.jpg
deleted file mode 100644
index d3cd196c34..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-10.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-11.jpg b/windows/configuration/images/volumeactivationforwindows81-11.jpg
deleted file mode 100644
index 72e4b613da..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-11.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-12.jpg b/windows/configuration/images/volumeactivationforwindows81-12.jpg
deleted file mode 100644
index 9e44ec24f0..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-12.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-13.jpg b/windows/configuration/images/volumeactivationforwindows81-13.jpg
deleted file mode 100644
index e599fcd528..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-13.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-14.jpg b/windows/configuration/images/volumeactivationforwindows81-14.jpg
deleted file mode 100644
index 3b3cbc18cb..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-14.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-15.jpg b/windows/configuration/images/volumeactivationforwindows81-15.jpg
deleted file mode 100644
index 792b24b282..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-15.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-16.jpg b/windows/configuration/images/volumeactivationforwindows81-16.jpg
deleted file mode 100644
index facdf1d084..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-16.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-17.jpg b/windows/configuration/images/volumeactivationforwindows81-17.jpg
deleted file mode 100644
index 0f4c683b7e..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-17.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-18.jpg b/windows/configuration/images/volumeactivationforwindows81-18.jpg
deleted file mode 100644
index 8728697ed8..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-18.jpg and /dev/null differ
diff --git a/windows/configuration/images/volumeactivationforwindows81-19.jpg b/windows/configuration/images/volumeactivationforwindows81-19.jpg
deleted file mode 100644
index db97a0ba0e..0000000000
Binary files a/windows/configuration/images/volumeactivationforwindows81-19.jpg and /dev/null differ
diff --git a/windows/configuration/images/w10servicing-f1-branches.png b/windows/configuration/images/w10servicing-f1-branches.png
deleted file mode 100644
index ac4a549aed..0000000000
Binary files a/windows/configuration/images/w10servicing-f1-branches.png and /dev/null differ
diff --git a/windows/configuration/images/waas-active-hours-policy.PNG b/windows/configuration/images/waas-active-hours-policy.PNG
deleted file mode 100644
index af80ef6652..0000000000
Binary files a/windows/configuration/images/waas-active-hours-policy.PNG and /dev/null differ
diff --git a/windows/configuration/images/waas-active-hours.PNG b/windows/configuration/images/waas-active-hours.PNG
deleted file mode 100644
index c262c302ed..0000000000
Binary files a/windows/configuration/images/waas-active-hours.PNG and /dev/null differ
diff --git a/windows/configuration/images/waas-auto-update-policy.PNG b/windows/configuration/images/waas-auto-update-policy.PNG
deleted file mode 100644
index 52a1629cbf..0000000000
Binary files a/windows/configuration/images/waas-auto-update-policy.PNG and /dev/null differ
diff --git a/windows/configuration/images/waas-do-fig1.png b/windows/configuration/images/waas-do-fig1.png
deleted file mode 100644
index 2a2b6872e9..0000000000
Binary files a/windows/configuration/images/waas-do-fig1.png and /dev/null differ
diff --git a/windows/configuration/images/waas-do-fig2.png b/windows/configuration/images/waas-do-fig2.png
deleted file mode 100644
index cc42b328eb..0000000000
Binary files a/windows/configuration/images/waas-do-fig2.png and /dev/null differ
diff --git a/windows/configuration/images/waas-do-fig3.png b/windows/configuration/images/waas-do-fig3.png
deleted file mode 100644
index d9182d3b20..0000000000
Binary files a/windows/configuration/images/waas-do-fig3.png and /dev/null differ
diff --git a/windows/configuration/images/waas-do-fig4.png b/windows/configuration/images/waas-do-fig4.png
deleted file mode 100644
index a66741ed90..0000000000
Binary files a/windows/configuration/images/waas-do-fig4.png and /dev/null differ
diff --git a/windows/configuration/images/waas-overview-patch.png b/windows/configuration/images/waas-overview-patch.png
deleted file mode 100644
index 6ac0a03227..0000000000
Binary files a/windows/configuration/images/waas-overview-patch.png and /dev/null differ
diff --git a/windows/configuration/images/waas-restart-policy.PNG b/windows/configuration/images/waas-restart-policy.PNG
deleted file mode 100644
index 936f9aeb08..0000000000
Binary files a/windows/configuration/images/waas-restart-policy.PNG and /dev/null differ
diff --git a/windows/configuration/images/waas-rings.png b/windows/configuration/images/waas-rings.png
deleted file mode 100644
index 041a59ce87..0000000000
Binary files a/windows/configuration/images/waas-rings.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig1.png b/windows/configuration/images/waas-sccm-fig1.png
deleted file mode 100644
index 6bf2b1c621..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig1.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig10.png b/windows/configuration/images/waas-sccm-fig10.png
deleted file mode 100644
index ad3b5c922f..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig11.png b/windows/configuration/images/waas-sccm-fig11.png
deleted file mode 100644
index 6c4f905630..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig11.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig12.png b/windows/configuration/images/waas-sccm-fig12.png
deleted file mode 100644
index 87464dd5f1..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig12.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig2.png b/windows/configuration/images/waas-sccm-fig2.png
deleted file mode 100644
index c83e7bc781..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig2.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig3.png b/windows/configuration/images/waas-sccm-fig3.png
deleted file mode 100644
index dcbc83b8ff..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig3.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig4.png b/windows/configuration/images/waas-sccm-fig4.png
deleted file mode 100644
index 782c5ca6ef..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig4.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig5.png b/windows/configuration/images/waas-sccm-fig5.png
deleted file mode 100644
index cb399a6c6f..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig5.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig6.png b/windows/configuration/images/waas-sccm-fig6.png
deleted file mode 100644
index 77dd02d61e..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig6.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig7.png b/windows/configuration/images/waas-sccm-fig7.png
deleted file mode 100644
index a74c7c8133..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig7.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig8.png b/windows/configuration/images/waas-sccm-fig8.png
deleted file mode 100644
index 2dfaf75ddf..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig8.png and /dev/null differ
diff --git a/windows/configuration/images/waas-sccm-fig9.png b/windows/configuration/images/waas-sccm-fig9.png
deleted file mode 100644
index 311d79dc94..0000000000
Binary files a/windows/configuration/images/waas-sccm-fig9.png and /dev/null differ
diff --git a/windows/configuration/images/waas-strategy-fig1a.png b/windows/configuration/images/waas-strategy-fig1a.png
deleted file mode 100644
index 7a924c43bc..0000000000
Binary files a/windows/configuration/images/waas-strategy-fig1a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig1.png b/windows/configuration/images/waas-wsus-fig1.png
deleted file mode 100644
index 14bf35958a..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig1.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig10.png b/windows/configuration/images/waas-wsus-fig10.png
deleted file mode 100644
index 3efa119693..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig10.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig11.png b/windows/configuration/images/waas-wsus-fig11.png
deleted file mode 100644
index ae6d79221a..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig11.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig12.png b/windows/configuration/images/waas-wsus-fig12.png
deleted file mode 100644
index 47479ea1df..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig12.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig13.png b/windows/configuration/images/waas-wsus-fig13.png
deleted file mode 100644
index f0b1578094..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig13.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig14.png b/windows/configuration/images/waas-wsus-fig14.png
deleted file mode 100644
index b5b930ddad..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig14.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig15.png b/windows/configuration/images/waas-wsus-fig15.png
deleted file mode 100644
index 95e38c039e..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig15.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig16.png b/windows/configuration/images/waas-wsus-fig16.png
deleted file mode 100644
index 3848ac1772..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig16.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig17.png b/windows/configuration/images/waas-wsus-fig17.png
deleted file mode 100644
index 5511da3e5c..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig17.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig18.png b/windows/configuration/images/waas-wsus-fig18.png
deleted file mode 100644
index f9ac774754..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig18.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig19.png b/windows/configuration/images/waas-wsus-fig19.png
deleted file mode 100644
index f69d793afe..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig19.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig2.png b/windows/configuration/images/waas-wsus-fig2.png
deleted file mode 100644
index 167774a6c9..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig2.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig20.png b/windows/configuration/images/waas-wsus-fig20.png
deleted file mode 100644
index ea6bbb350a..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig20.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig3.png b/windows/configuration/images/waas-wsus-fig3.png
deleted file mode 100644
index 272e8c05e9..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig3.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig4.png b/windows/configuration/images/waas-wsus-fig4.png
deleted file mode 100644
index bb5f27e3da..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig4.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig5.png b/windows/configuration/images/waas-wsus-fig5.png
deleted file mode 100644
index 23faf303c6..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig5.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig6.png b/windows/configuration/images/waas-wsus-fig6.png
deleted file mode 100644
index 7857351d19..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig6.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig7.png b/windows/configuration/images/waas-wsus-fig7.png
deleted file mode 100644
index e7f02649d2..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig7.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig8.png b/windows/configuration/images/waas-wsus-fig8.png
deleted file mode 100644
index da5f620425..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig8.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wsus-fig9.png b/windows/configuration/images/waas-wsus-fig9.png
deleted file mode 100644
index f3d5a4eb6a..0000000000
Binary files a/windows/configuration/images/waas-wsus-fig9.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-broad.png b/windows/configuration/images/waas-wufb-gp-broad.png
deleted file mode 100644
index 92b71c8936..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-broad.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-cb2-settings.png b/windows/configuration/images/waas-wufb-gp-cb2-settings.png
deleted file mode 100644
index ae6ed4d856..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-cb2-settings.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-cb2.png b/windows/configuration/images/waas-wufb-gp-cb2.png
deleted file mode 100644
index 006a8c02d3..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-cb2.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-cbb1-settings.png b/windows/configuration/images/waas-wufb-gp-cbb1-settings.png
deleted file mode 100644
index c9e1029b8b..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-cbb1-settings.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-cbb2-settings.png b/windows/configuration/images/waas-wufb-gp-cbb2-settings.png
deleted file mode 100644
index e5aff1cc89..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-cbb2-settings.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-cbb2q-settings.png b/windows/configuration/images/waas-wufb-gp-cbb2q-settings.png
deleted file mode 100644
index 33a02165c6..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-cbb2q-settings.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-create.png b/windows/configuration/images/waas-wufb-gp-create.png
deleted file mode 100644
index d74eec4b2e..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-create.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-edit-defer.png b/windows/configuration/images/waas-wufb-gp-edit-defer.png
deleted file mode 100644
index c697b42ffd..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-edit-defer.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-edit.png b/windows/configuration/images/waas-wufb-gp-edit.png
deleted file mode 100644
index 1b8d21a175..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-edit.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-scope-cb2.png b/windows/configuration/images/waas-wufb-gp-scope-cb2.png
deleted file mode 100644
index fcacdbea57..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-scope-cb2.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-gp-scope.png b/windows/configuration/images/waas-wufb-gp-scope.png
deleted file mode 100644
index a04d8194df..0000000000
Binary files a/windows/configuration/images/waas-wufb-gp-scope.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-cb2a.png b/windows/configuration/images/waas-wufb-intune-cb2a.png
deleted file mode 100644
index 3e8c1ce19e..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-cb2a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-cbb1a.png b/windows/configuration/images/waas-wufb-intune-cbb1a.png
deleted file mode 100644
index bc394fe563..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-cbb1a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-cbb2a.png b/windows/configuration/images/waas-wufb-intune-cbb2a.png
deleted file mode 100644
index a980e0e43a..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-cbb2a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-step11a.png b/windows/configuration/images/waas-wufb-intune-step11a.png
deleted file mode 100644
index 7291484c93..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-step11a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-step19a.png b/windows/configuration/images/waas-wufb-intune-step19a.png
deleted file mode 100644
index de132abd28..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-step19a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-step2a.png b/windows/configuration/images/waas-wufb-intune-step2a.png
deleted file mode 100644
index 9a719b8fda..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-step2a.png and /dev/null differ
diff --git a/windows/configuration/images/waas-wufb-intune-step7a.png b/windows/configuration/images/waas-wufb-intune-step7a.png
deleted file mode 100644
index daa96ba18c..0000000000
Binary files a/windows/configuration/images/waas-wufb-intune-step7a.png and /dev/null differ
diff --git a/windows/configuration/images/who-owns-pc.png b/windows/configuration/images/who-owns-pc.png
deleted file mode 100644
index d3ce1def8d..0000000000
Binary files a/windows/configuration/images/who-owns-pc.png and /dev/null differ
diff --git a/windows/configuration/images/wifisense-grouppolicy.png b/windows/configuration/images/wifisense-grouppolicy.png
deleted file mode 100644
index 1142d834bd..0000000000
Binary files a/windows/configuration/images/wifisense-grouppolicy.png and /dev/null differ
diff --git a/windows/configuration/images/wifisense-registry.png b/windows/configuration/images/wifisense-registry.png
deleted file mode 100644
index cbb1fa8347..0000000000
Binary files a/windows/configuration/images/wifisense-registry.png and /dev/null differ
diff --git a/windows/configuration/images/wifisense-settingscreens.png b/windows/configuration/images/wifisense-settingscreens.png
deleted file mode 100644
index cbb6903177..0000000000
Binary files a/windows/configuration/images/wifisense-settingscreens.png and /dev/null differ
diff --git a/windows/configuration/images/win-10-adk-select.png b/windows/configuration/images/win-10-adk-select.png
deleted file mode 100644
index 1dfaa23175..0000000000
Binary files a/windows/configuration/images/win-10-adk-select.png and /dev/null differ
diff --git a/windows/configuration/images/win10-mobile-mdm-fig1.png b/windows/configuration/images/win10-mobile-mdm-fig1.png
deleted file mode 100644
index 6ddac1df99..0000000000
Binary files a/windows/configuration/images/win10-mobile-mdm-fig1.png and /dev/null differ
diff --git a/windows/configuration/images/win10-set-up-work-or-school.png b/windows/configuration/images/win10-set-up-work-or-school.png
deleted file mode 100644
index 0ca83fb0e1..0000000000
Binary files a/windows/configuration/images/win10-set-up-work-or-school.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig2-featureupgrade.png b/windows/configuration/images/win10servicing-fig2-featureupgrade.png
deleted file mode 100644
index e4dc76b44f..0000000000
Binary files a/windows/configuration/images/win10servicing-fig2-featureupgrade.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig3.png b/windows/configuration/images/win10servicing-fig3.png
deleted file mode 100644
index 688f92b173..0000000000
Binary files a/windows/configuration/images/win10servicing-fig3.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig4-upgradereleases.png b/windows/configuration/images/win10servicing-fig4-upgradereleases.png
deleted file mode 100644
index 961c8bebe2..0000000000
Binary files a/windows/configuration/images/win10servicing-fig4-upgradereleases.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig5.png b/windows/configuration/images/win10servicing-fig5.png
deleted file mode 100644
index dc4b2fc5b2..0000000000
Binary files a/windows/configuration/images/win10servicing-fig5.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig6.png b/windows/configuration/images/win10servicing-fig6.png
deleted file mode 100644
index 4cdc5f9c6f..0000000000
Binary files a/windows/configuration/images/win10servicing-fig6.png and /dev/null differ
diff --git a/windows/configuration/images/win10servicing-fig7.png b/windows/configuration/images/win10servicing-fig7.png
deleted file mode 100644
index 0a9a851449..0000000000
Binary files a/windows/configuration/images/win10servicing-fig7.png and /dev/null differ
diff --git a/windows/configuration/images/windows-10-management-cyod-byod-flow.png b/windows/configuration/images/windows-10-management-cyod-byod-flow.png
deleted file mode 100644
index 6121e93832..0000000000
Binary files a/windows/configuration/images/windows-10-management-cyod-byod-flow.png and /dev/null differ
diff --git a/windows/configuration/images/windows-10-management-gp-intune-flow.png b/windows/configuration/images/windows-10-management-gp-intune-flow.png
deleted file mode 100644
index c9e3f2ea31..0000000000
Binary files a/windows/configuration/images/windows-10-management-gp-intune-flow.png and /dev/null differ
diff --git a/windows/configuration/images/windows-10-management-range-of-options.png b/windows/configuration/images/windows-10-management-range-of-options.png
deleted file mode 100644
index e4de546709..0000000000
Binary files a/windows/configuration/images/windows-10-management-range-of-options.png and /dev/null differ
diff --git a/windows/configuration/images/windows-icd.png b/windows/configuration/images/windows-icd.png
deleted file mode 100644
index 4bc8a18f4c..0000000000
Binary files a/windows/configuration/images/windows-icd.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-distribute.png b/windows/configuration/images/wsfb-distribute.png
deleted file mode 100644
index d0482f6ebe..0000000000
Binary files a/windows/configuration/images/wsfb-distribute.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-firstrun.png b/windows/configuration/images/wsfb-firstrun.png
deleted file mode 100644
index 2673567a1e..0000000000
Binary files a/windows/configuration/images/wsfb-firstrun.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-inventory-viewlicense.png b/windows/configuration/images/wsfb-inventory-viewlicense.png
deleted file mode 100644
index 9fafad1aff..0000000000
Binary files a/windows/configuration/images/wsfb-inventory-viewlicense.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-inventory.png b/windows/configuration/images/wsfb-inventory.png
deleted file mode 100644
index b060fb30e4..0000000000
Binary files a/windows/configuration/images/wsfb-inventory.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-inventoryaddprivatestore.png b/windows/configuration/images/wsfb-inventoryaddprivatestore.png
deleted file mode 100644
index bb1152e35b..0000000000
Binary files a/windows/configuration/images/wsfb-inventoryaddprivatestore.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-landing.png b/windows/configuration/images/wsfb-landing.png
deleted file mode 100644
index beae0b52af..0000000000
Binary files a/windows/configuration/images/wsfb-landing.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-licenseassign.png b/windows/configuration/images/wsfb-licenseassign.png
deleted file mode 100644
index 5904abb3b9..0000000000
Binary files a/windows/configuration/images/wsfb-licenseassign.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-licensedetails.png b/windows/configuration/images/wsfb-licensedetails.png
deleted file mode 100644
index 53e0f5c935..0000000000
Binary files a/windows/configuration/images/wsfb-licensedetails.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-licensereclaim.png b/windows/configuration/images/wsfb-licensereclaim.png
deleted file mode 100644
index 9f94cd3600..0000000000
Binary files a/windows/configuration/images/wsfb-licensereclaim.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-manageinventory.png b/windows/configuration/images/wsfb-manageinventory.png
deleted file mode 100644
index 9a544ddc21..0000000000
Binary files a/windows/configuration/images/wsfb-manageinventory.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-offline-distribute-mdm.png b/windows/configuration/images/wsfb-offline-distribute-mdm.png
deleted file mode 100644
index ec0e77a9a9..0000000000
Binary files a/windows/configuration/images/wsfb-offline-distribute-mdm.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-1.png b/windows/configuration/images/wsfb-onboard-1.png
deleted file mode 100644
index 012e91a845..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-1.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-2.png b/windows/configuration/images/wsfb-onboard-2.png
deleted file mode 100644
index 2ff98fb1f7..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-2.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-3.png b/windows/configuration/images/wsfb-onboard-3.png
deleted file mode 100644
index ed9a61d353..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-3.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-4.png b/windows/configuration/images/wsfb-onboard-4.png
deleted file mode 100644
index d99185ddc6..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-4.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-5.png b/windows/configuration/images/wsfb-onboard-5.png
deleted file mode 100644
index 68049f4425..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-5.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-onboard-7.png b/windows/configuration/images/wsfb-onboard-7.png
deleted file mode 100644
index 38b7348b21..0000000000
Binary files a/windows/configuration/images/wsfb-onboard-7.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-online-distribute-mdm.png b/windows/configuration/images/wsfb-online-distribute-mdm.png
deleted file mode 100644
index 4b0f7cbf3a..0000000000
Binary files a/windows/configuration/images/wsfb-online-distribute-mdm.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-paid-app-temp.png b/windows/configuration/images/wsfb-paid-app-temp.png
deleted file mode 100644
index 89e3857d07..0000000000
Binary files a/windows/configuration/images/wsfb-paid-app-temp.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-permissions-assignrole.png b/windows/configuration/images/wsfb-permissions-assignrole.png
deleted file mode 100644
index de2e1785ba..0000000000
Binary files a/windows/configuration/images/wsfb-permissions-assignrole.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-private-store-gpo.PNG b/windows/configuration/images/wsfb-private-store-gpo.PNG
deleted file mode 100644
index 5e7fe44ec2..0000000000
Binary files a/windows/configuration/images/wsfb-private-store-gpo.PNG and /dev/null differ
diff --git a/windows/configuration/images/wsfb-privatestore.png b/windows/configuration/images/wsfb-privatestore.png
deleted file mode 100644
index 74c9f1690d..0000000000
Binary files a/windows/configuration/images/wsfb-privatestore.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-privatestoreapps.png b/windows/configuration/images/wsfb-privatestoreapps.png
deleted file mode 100644
index 1ddb543796..0000000000
Binary files a/windows/configuration/images/wsfb-privatestoreapps.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-renameprivatestore.png b/windows/configuration/images/wsfb-renameprivatestore.png
deleted file mode 100644
index c6db282581..0000000000
Binary files a/windows/configuration/images/wsfb-renameprivatestore.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-settings-mgmt.png b/windows/configuration/images/wsfb-settings-mgmt.png
deleted file mode 100644
index 2a7b590d19..0000000000
Binary files a/windows/configuration/images/wsfb-settings-mgmt.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-settings-permissions.png b/windows/configuration/images/wsfb-settings-permissions.png
deleted file mode 100644
index 63d04d270b..0000000000
Binary files a/windows/configuration/images/wsfb-settings-permissions.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-wsappaddacct.png b/windows/configuration/images/wsfb-wsappaddacct.png
deleted file mode 100644
index 5c0bd9a4ce..0000000000
Binary files a/windows/configuration/images/wsfb-wsappaddacct.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-wsappprivatestore.png b/windows/configuration/images/wsfb-wsappprivatestore.png
deleted file mode 100644
index 9c29e7604c..0000000000
Binary files a/windows/configuration/images/wsfb-wsappprivatestore.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-wsappsignin.png b/windows/configuration/images/wsfb-wsappsignin.png
deleted file mode 100644
index c2c2631a94..0000000000
Binary files a/windows/configuration/images/wsfb-wsappsignin.png and /dev/null differ
diff --git a/windows/configuration/images/wsfb-wsappworkacct.png b/windows/configuration/images/wsfb-wsappworkacct.png
deleted file mode 100644
index 5eb9035124..0000000000
Binary files a/windows/configuration/images/wsfb-wsappworkacct.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-config1a.png b/windows/configuration/images/wufb-config1a.png
deleted file mode 100644
index 1514b87528..0000000000
Binary files a/windows/configuration/images/wufb-config1a.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-config2.png b/windows/configuration/images/wufb-config2.png
deleted file mode 100644
index f54eef9a50..0000000000
Binary files a/windows/configuration/images/wufb-config2.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-config3a.png b/windows/configuration/images/wufb-config3a.png
deleted file mode 100644
index 538028cfdc..0000000000
Binary files a/windows/configuration/images/wufb-config3a.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-do.png b/windows/configuration/images/wufb-do.png
deleted file mode 100644
index 8d6c9d0b8a..0000000000
Binary files a/windows/configuration/images/wufb-do.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-groups.png b/windows/configuration/images/wufb-groups.png
deleted file mode 100644
index 13cdea04b0..0000000000
Binary files a/windows/configuration/images/wufb-groups.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-pause-feature.png b/windows/configuration/images/wufb-pause-feature.png
deleted file mode 100644
index afeac43e29..0000000000
Binary files a/windows/configuration/images/wufb-pause-feature.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-qual.png b/windows/configuration/images/wufb-qual.png
deleted file mode 100644
index 4a93408522..0000000000
Binary files a/windows/configuration/images/wufb-qual.png and /dev/null differ
diff --git a/windows/configuration/images/wufb-sccm.png b/windows/configuration/images/wufb-sccm.png
deleted file mode 100644
index 1d568c1fe4..0000000000
Binary files a/windows/configuration/images/wufb-sccm.png and /dev/null differ
diff --git a/windows/configuration/images/x_blk.png b/windows/configuration/images/x_blk.png
deleted file mode 100644
index 69432ff71c..0000000000
Binary files a/windows/configuration/images/x_blk.png and /dev/null differ
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
deleted file mode 100644
index f5ee82e15a..0000000000
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Manage Wi-Fi Sense in your company (Windows 10)
-description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
-ms.reviewer:
-manager: aaroncz
-ms.author: lizlong
-ms.prod: windows-client
-author: lizgt2000
-ms.localizationpriority: medium
-ms.topic: article
-ms.technology: itpro-configure
-ms.date: 12/31/2017
----
-
-# Manage Wi-Fi Sense in your company
-
-**Applies to**
-
-- Windows 10 version 1709 and older
-
-> [!IMPORTANT]
-> Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
-
-Wi-Fi Sense learns about open Wi-Fi hotspots your Windows device by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it.
-
-The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your device with Windows 10.
-
-> [!NOTE]
-> >Wi-Fi Sense isn’t available in all countries or regions.
-
-## How does Wi-Fi Sense work?
-Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when you’re out and about.
-
-## How to manage Wi-Fi Sense in your company
-In a company environment, you will most likely deploy Windows 10 to your employees' devices using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
-
-> [!IMPORTANT]
-> Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
-
-### Using Group Policy (available starting with Windows 10, version 1511)
-You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
-
-**To set up Wi-Fi Sense using Group Policy**
-
-1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
-
- 
-
-2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
-
-### Using the Registry Editor
-You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor.
-
-**To set up Wi-Fi Sense using the Registry Editor**
-
-1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
-
-2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
-
- Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service).
-
- 
-
-### Using the Windows Provisioning settings
-You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
-
-**To set up Wi-Fi Sense using WiFISenseAllowed**
-
-- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
-
- Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](./wcd/wcd-connectivityprofiles.md#wifisense).
-
-### Using Unattended Windows Setup settings
-If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
-
-**To set up Wi-Fi Sense using WiFISenseAllowed**
-
-- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
-
- Setting this value to `0` turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](/previous-versions//mt186511(v=vs.85)).
-
-### How employees can change their own Wi-Fi Sense settings
-If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
-
-
-
-> [!IMPORTANT]
-> The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
-
-The **Connect to networks shared by my contacts** setting will still appear in **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings** on your device. However, this setting will have no effect now. Regardless of what it’s set to, networks won’t be shared with your contacts. Your contacts won’t be connected to networks you’ve shared with them, and you won’t be connected to networks they’ve shared with you.
-
-Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still won’t be connected to networks your contacts have shared with you.
-
-If you select the **Share network with my contacts** check box the first time you connect to a new network, the network won’t be shared.
-
-## Related topics
-
-- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911)
-- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
deleted file mode 100644
index 073685eb1c..0000000000
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ /dev/null
@@ -1,185 +0,0 @@
----
-title: Provision PCs with apps and certificates (Windows 10)
-description: Create a provisioning package to apply settings to a PC running Windows 10.
-ms.prod: windows-client
-author: lizgt2000
-ms.author: lizlong
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
-manager: aaroncz
-ms.technology: itpro-configure
----
-
-# Provision PCs with apps and certificates for initial deployment (advanced provisioning)
-
-
-**Applies to**
-
-- Windows 10
-
-DEPRECATED - See [Provision PCs with apps](provision-pcs-with-apps.md)
-
-This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
-
-You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
-
-## Advantages
-- You can configure new devices without reimaging.
-
-- Works on both mobile and desktop devices.
-
-- No network connectivity required.
-
-- Simple to apply.
-
-[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
-
-## Create the provisioning package
-
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-
-1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-
-2. Click **Advanced provisioning**.
-
- 
-
-3. Name your project and click **Next**.
-
-4. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
-
-
-### Add a desktop app to your package
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
-
-2. Add all the files required for the app install, including the data files and the installer.
-
-3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option.
-
-> [!NOTE]
-> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md).
-
-
-### Add a universal app to your package
-
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
-
-2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
-
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
-
-5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
-
- - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
-
- - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
-
-6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
-
-7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file.
-
-[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
-
-> [!NOTE]
-> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
-
-
-
-### Add a certificate to your package
-
-1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-
-2. Enter a **CertificateName** and then click **Add**.
-
-2. Enter the **CertificatePassword**.
-
-3. For **CertificatePath**, browse and select the certificate to be used.
-
-4. Set **ExportCertificate** to **False**.
-
-5. For **KeyLocation**, select **Software only**.
-
-
-### Add other settings to your package
-
-For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-
-### Build your package
-
-1. When you are done configuring the provisioning package, on the **File** menu, click **Save**.
-
-2. Read the warning that project files may contain sensitive information, and click **OK**.
- > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-3. On the **Export** menu, click **Provisioning package**.
-
-4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
-
-5. Set a value for **Package Version**.
-
- > [!TIP]
- > You can make changes to existing packages and change the version number to update previously applied packages.
-
-6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
-
- - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
-
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
-
- **Important**
- We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
-
-7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
- Optionally, you can click **Browse** to change the default output location.
-
-8. Click **Next**.
-
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-
-10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
- If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
-
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-
-11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
-
- - Shared network folder
-
- - SharePoint site
-
- - Removable media (USB/SD)
-
- - Email
-
- - USB tether (mobile only)
-
- - NFC (mobile only)
-
-
-
-**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
diff --git a/windows/configuration/screenshot11.png b/windows/configuration/screenshot11.png
deleted file mode 100644
index 0ce852ebaa..0000000000
Binary files a/windows/configuration/screenshot11.png and /dev/null differ
diff --git a/windows/configuration/screenshot2.png b/windows/configuration/screenshot2.png
deleted file mode 100644
index fb7995600e..0000000000
Binary files a/windows/configuration/screenshot2.png and /dev/null differ
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index c982e45ca3..1c7d6d423c 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -39,7 +39,7 @@ This section describes the settings that you can configure in [provisioning pack
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
| [EditionUpgrade](wcd-editionupgrade.md) | ✔️ | | ✔️ | |
-| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | | | |
+| [EmbeddedLockdownProfiles](https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5) | | | | |
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index 3cb4555445..bbaa26132d 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -21,4 +21,17 @@ items:
items:
- name: Deployment
tocHref: /windows/whats-new
- topicHref: /windows/deployment/
\ No newline at end of file
+ topicHref: /windows/deployment/
+
+- name: Learn
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /mem/intune/
+ topicHref: /windows/resources/
+ items:
+ - name: Deployment
+ tocHref: /mem/intune/protect/
+ topicHref: /windows/deployment/
+
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 8789fb10ba..5bc21c33d2 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -22,6 +22,8 @@
items:
- name: Fix issues found by the Readiness assessment tool
href: prepare/windows-autopatch-fix-issues.md
+ - name: Submit a tenant enrollment support request
+ href: prepare/windows-autopatch-enrollment-support-request.md
- name: Deploy
href:
items:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index d3cf70f023..b01e97264d 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -17,9 +17,9 @@ msreviewer: hathind
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
-> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the enrollment process. If so, take a moment now to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
+> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the [enrollment process](../prepare/windows-autopatch-enroll-tenant.md#step-4-enroll-your-tenant), or if you've [submitted a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). However, take a moment to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
-You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
+You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
> [!IMPORTANT]
> Whoever you choose as admin contacts, they must have the knowledge and authority to make decisions for your Windows Autopatch environment. The Windows Autopatch Service Engineering Team will contact these admin contacts for questions involving support requests.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index 985c852e6f..340afa6233 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -30,7 +30,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
| Scenario | Description |
| ----- | ----- |
| Prerequisite checks | Ensures devices follow software-based requirements before being registered with the service. |
-| Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.
IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
|
+| Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.
IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads fully managed by the Windows Autopatch service. Software workloads include:
Windows quality updates
Feature updates
Microsoft Office
Microsoft Teams
Microsoft Edge
Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
|
### Device readiness checks available for each scenario
@@ -42,14 +42,19 @@ The status of each post-device registration readiness check is shown in the Wind
## About the three tabs in the Devices blade
-You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance. Figuring out device health can be challenging and disruptive to the end user when IT can’t obtain proactive data sent by the device to the service for IT admins to proactively detect, troubleshoot, and fix issues.
+You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance.
-Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and troubleshoot potential device health issues:
+Figuring out device health can be challenging and disruptive to the end user when IT admins can't:
+
+- Obtain proactive data sent by the device to the service, or
+- Proactively detect and remediate issues
+
+Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and remediate potential device health issues:
| Tab | Description |
| ----- | ----- |
| Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:
Passed the prerequisite checks.
Registered with Windows Autopatch.
This tab also lists devices that have passed all postdevice registration readiness checks. |
-| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
**Inactive**: Devices that haven’t communicated with the Microsoft Intune service in the last 28 days.
|
+| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
**Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.
|
| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. |
## Details about the post-device registration readiness checks
@@ -60,7 +65,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data
- Passes all post-device registration readiness checks
-The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
+The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a sub-component of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index eff03275a8..47e7d10902 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -86,7 +86,7 @@ For more information, see [Windows Autopatch Prerequisites](../prepare/windows-a
## About the Ready, Not ready and Not registered tabs
-Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues.
+Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so IT admin knows where to go to monitor, and fix potential device health issues.
| Device blade tab | Purpose | Expected device readiness status |
| ----- | ----- | ----- |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index c5a7514fc4..aa13524ff2 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -26,7 +26,7 @@ After you've completed enrollment in Windows Autopatch, some management settings
| Setting | Description |
| ----- | ----- |
-| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).
Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Modern Workplace Update Policy [Fast]-[Windows Autopatch]
Modern Workplace Update Policy [First]-[Windows Autopatch]
Modern Workplace Update Policy [Test]-[Windows Autopatch]
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
+| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).
Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Modern Workplace Update Policy [Fast]-[Windows Autopatch]
Modern Workplace Update Policy [First]-[Windows Autopatch]
Modern Workplace Update Policy [Test]-[Windows Autopatch]
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
|
## Windows Autopatch configurations
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 3089035470..ebe7cda8b7 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -34,7 +34,7 @@ All devices registered for Windows Autopatch will receive updates from the [Mont
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
-## Update rings
+## Deployment rings
Since the Office CDN determines when devices are offered updates, Windows Autopatch doesn't use rings to control the rollout of these updates.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index c59e0e6802..800f387276 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -15,7 +15,7 @@ msreviewer: hathind
# Submit a support request
> [!IMPORTANT]
-> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
+> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues.
You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
@@ -23,6 +23,15 @@ You can submit support tickets to Microsoft using the Windows Autopatch admin ce
Support requests are triaged and responded to as they're received.
+**To submit a new support request:**
+
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
+1. In the **Windows Autopatch** section, select **Support requests**.
+1. In the **Support requests** section, select **+ New support request**.
+1. Enter your question(s) and/or a description of the problem.
+1. Review all the information you provided for accuracy.
+1. When you're ready, select **Create**.
+
### Premier and Unified support options
If you have a **Premier** or **Unified** support contract, when you submit a new request, or edit an active support request, you can:
@@ -40,15 +49,6 @@ Depending on your support contract, the following severity options are available
| Premier | Severity A, B or C |
| Unified | Critical or non-critical |
-**To submit a new support request:**
-
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
-1. In the **Windows Autopatch** section, select **Support requests**.
-1. In the **Support requests** section, select **+ New support request**.
-1. Enter your question(s) and/or a description of the problem.
-1. Review all the information you provided for accuracy.
-1. When you're ready, select **Create**.
-
## Manage an active support request
The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 549d7d5bba..81dd91dbd5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -20,8 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| Software update workload | Description |
| ----- | ----- |
-| Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
-| Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
+| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index 2dbf3db0a5..fcf007a516 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
-Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
+Windows Autopatch configures these policies differently across deployment rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index fdb9b1f891..e51bf1f82a 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -81,8 +81,8 @@ sections:
questions:
- question: What systems does Windows Autopatch update?
answer: |
- - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings.
- - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings.
+ - Windows 10/11 quality updates: Windows Autopatch manages all aspects of deployment rings.
+ - Windows 10/11 feature updates: Windows Autopatch manages all aspects of deployment rings.
- Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.
- Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.
- Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 88cdfa1b6b..8ed02530ce 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -27,7 +27,7 @@ Rather than maintaining complex digital infrastructure, businesses want to focus
- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value.
- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started.
-- **Minimize end user disruption**: By releasing in sequential update rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
+- **Minimize end user disruption**: By releasing in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 2dfa7a8912..b091a73a97 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -51,7 +51,7 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
-| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure update rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
+| Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
new file mode 100644
index 0000000000..c36be7a98b
--- /dev/null
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
@@ -0,0 +1,40 @@
+---
+title: Submit a tenant enrollment support request
+description: This article details how to submit a tenant enrollment support request
+ms.date: 01/13/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Submit a tenant enrollment support request
+
+If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
+
+> [!NOTE]
+> After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md).
+
+**To submit a new tenant enrollment support request:**
+
+1. Go to Management settings > View details > select a **readiness check result**. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
+2. Enter your question(s) and/or a description of the issue.
+3. Enter your primary contact information. Windows Autopatch will work directly with the contact listed to resolve the support request.
+4. Review all the information for accuracy.
+5. Select **Create**.
+
+## Manage an active tenant enrollment support request
+
+The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated.
+
+If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
+
+**To view all your active tenant enrollment support requests:**
+
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
+1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
+1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index ee145b6390..8e9d0f1a63 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,6 +1,6 @@
---
title: Fix issues found by the Readiness assessment tool
-description: This article details how to fix issues found by the Readiness assessment tool
+description: This article details how to fix issues found by the Readiness assessment tool.
ms.date: 01/12/2023
ms.prod: windows-client
ms.technology: itpro-updates
@@ -17,7 +17,7 @@ msreviewer: hathind
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
> [!NOTE]
-> If you need more assistance with tenant enrollment, you can [submit a tenant enrollment support request](#submit-a-tenant-enrollment-support-request).
+> If you need more assistance with tenant enrollment, you can [submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md).
## Check results
@@ -45,9 +45,9 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.
For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-### Update rings for Windows 10 or later
+### Deployment rings for Windows 10 or later
-Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices.
+Your "Windows 10 deployment ring" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
@@ -73,29 +73,3 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
-
-## Submit a tenant enrollment support request
-
-> [!IMPORTANT]
-> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
-
-If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
-
-**To submit a new tenant enrollment support request:**
-
-1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual checkbox. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
-2. Enter your question(s) and/or a description of the problem.
-3. Review all the information you provided for accuracy.
-4. When you're ready, select **Create**.
-
-### Manage an active tenant enrollment support request
-
-The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated.
-
-If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
-
-**To view all your active tenant enrollment support requests:**
-
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
-1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
-1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index ce916ff862..10fa706030 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -64,7 +64,7 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
|
[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
|
| Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency
Assigned to:
Modern Workplace Devices-Windows Autopatch-Test
Modern Workplace Devices-Windows Autopatch-First
Modern Workplace Devices-Windows Autopatch-Fast
Modern Workplace Devices-Windows Autopatch-Broad
| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
-## Update rings for Windows 10 and later
+## Deployment rings for Windows 10 and later
- Modern Workplace Update Policy [Test]-[Windows Autopatch]
- Modern Workplace Update Policy [First]-[Windows Autopatch]
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index 06470b36ca..60f5f47988 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -51,7 +51,7 @@ Windows Autopatch Service Engineering Team is in the United States, India and Ro
## Microsoft Windows 10/11 diagnostic data
-Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements.
+Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, fix problems, and make product improvements.
The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md
index 1c19a4bac4..09842260a5 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md
@@ -14,7 +14,7 @@ msreviewer: adnich
# Windows update policies
-## Update rings for Windows 10 and later
+## Deployment rings for Windows 10 and later
The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
@@ -36,7 +36,7 @@ The following policies contain settings which apply to both Windows quality and
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
-| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default |
+| Automatic update behavior | Reset to default | Reset to default | Reset to default | Reset to default |
| Restart checks | Allow | Allow | Allow | Allow |
| Option to pause updates | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | Default | Default | Default | Default |
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index f8aadf763a..bb56fa10e7 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -24,7 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
-| [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. |
+| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. |
| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
### January service release
diff --git a/windows/media/phase-diagrams/deployment-phases.png b/windows/media/phase-diagrams/deployment-phases.png
deleted file mode 100644
index 4d2a4fa946..0000000000
Binary files a/windows/media/phase-diagrams/deployment-phases.png and /dev/null differ
diff --git a/windows/media/phase-diagrams/migration-phases.png b/windows/media/phase-diagrams/migration-phases.png
deleted file mode 100644
index d502450fba..0000000000
Binary files a/windows/media/phase-diagrams/migration-phases.png and /dev/null differ
diff --git a/windows/media/phase-diagrams/onboard.png b/windows/media/phase-diagrams/onboard.png
deleted file mode 100644
index b6a29de3bf..0000000000
Binary files a/windows/media/phase-diagrams/onboard.png and /dev/null differ
diff --git a/windows/media/phase-diagrams/prepare.png b/windows/media/phase-diagrams/prepare.png
deleted file mode 100644
index 1001e41e0d..0000000000
Binary files a/windows/media/phase-diagrams/prepare.png and /dev/null differ
diff --git a/windows/media/phase-diagrams/setup.png b/windows/media/phase-diagrams/setup.png
deleted file mode 100644
index 1635785046..0000000000
Binary files a/windows/media/phase-diagrams/setup.png and /dev/null differ
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 82af1b7c01..4523cd4552 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -99,7 +99,7 @@ The AK is the key used to unlock data on the drive. A hash of the key is stored
When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device.
-When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue.
+When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the AK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue.
## Reconfiguring encrypted hard drives
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index bf8fa457c5..003104ce73 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -285,9 +285,9 @@ Value | Description
This field lists the computer name. All valid values for computer name.
-Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
+Another method to determine the available and enabled virtualization-based security features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the virtualization-based security features are displayed at the bottom of the **System Summary** section.
-:::image type="content" alt-text="Windows Defender Device Guard properties in the System Summary." source="../images/dg-fig11-dgproperties.png" lightbox="../images/dg-fig11-dgproperties.png":::
+:::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png":::
## Troubleshooting
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig11-dgproperties.png
deleted file mode 100644
index 3c93b2b948..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig11-dgproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png b/windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png
new file mode 100644
index 0000000000..d865fc1715
Binary files /dev/null and b/windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png differ
diff --git a/windows/security/threat-protection/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/images/dg-fig11-dgproperties.png
deleted file mode 100644
index 3c93b2b948..0000000000
Binary files a/windows/security/threat-protection/images/dg-fig11-dgproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml
index 1ddc477ef1..1e4b1fa586 100644
--- a/windows/security/threat-protection/security-policy-settings/TOC.yml
+++ b/windows/security/threat-protection/security-policy-settings/TOC.yml
@@ -136,10 +136,6 @@
href: interactive-logon-smart-card-removal-behavior.md
- name: "Microsoft network client: Digitally sign communications (always)"
href: microsoft-network-client-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network client: Digitally sign communications (always)"
- href: smbv1-microsoft-network-client-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)"
- href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
- name: "Microsoft network client: Send unencrypted password to third-party SMB servers"
href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
- name: "Microsoft network server: Amount of idle time required before suspending session"
@@ -148,10 +144,6 @@
href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
- name: "Microsoft network server: Digitally sign communications (always)"
href: microsoft-network-server-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network server: Digitally sign communications (always)"
- href: smbv1-microsoft-network-server-digitally-sign-communications-always.md
- - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)"
- href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
- name: "Microsoft network server: Disconnect clients when logon hours expire"
href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
- name: "Microsoft network server: Server SPN target name validation level"
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index 1c67b647de..5ac230e0ed 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Access Credential Manager as a trusted caller
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index ea4406b6f7..7f643514fc 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -20,7 +20,12 @@ ms.technology: itpro-security
# Access this computer from the network - security policy setting
**Applies to**
-- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016
+- Windows 11
+- Windows 10
+- Windows Server 2022
+- Windows Server 2019
+- Windows Server 2016
+- Azure Stack HCI
Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index c36f75e923..5c6402aa17 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -20,7 +20,8 @@ ms.technology: itpro-security
# Act as part of the operating system
**Applies to**
-- Windows 10
+- Windows 11
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index 6c558c83f7..139d15f4ec 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -1,17 +1,12 @@
---
-title: Add workstations to domain (Windows 10)
+title: Add workstations to domain
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
-ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: itpro-security
@@ -20,7 +15,7 @@ ms.technology: itpro-security
# Add workstations to domain
**Applies to**
-- Windows 10
+- Windows Server
Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 622ad26f5c..af89003808 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Adjust memory quotas for a process
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 6e252f1e14..475bd01f46 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Allow log on locally - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index 6b074f6cb3..fd5a84fe03 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Allow log on through Remote Desktop Services
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 40d62fb154..99590d638b 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Back up files and directories - security policy setting
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index bd274babde..ccdce7a3f5 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Bypass traverse checking
**Applies to**
+- Windows 11
- Windows 10
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index 3958ae9bed..02cbb94d06 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Change the system time - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Change the system time** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index 0f18fbe6a0..d8dfd97662 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Change the time zone - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Change the time zone** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 68753e633a..a5438297fd 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Create a pagefile - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Create a pagefile** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 397456fc85..727912a7ca 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Create a token object
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Create a token object** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index bd8b943798..f6be4d3ed7 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Create global objects
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Create global objects** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index dd58539e88..38fb6346f9 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Create permanent shared objects
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Create permanent shared objects** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index 5ea5c36a0c..82c3f5ffc9 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Create symbolic links
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Create symbolic links** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index c97a34004a..7b72217ab7 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Debug programs
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Debug programs** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 9d51332226..9dc9bb9d38 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -20,7 +20,8 @@ ms.technology: itpro-security
# Deny access to this computer from the network
**Applies to**
-- Windows 10
+- Windows 11
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 26257d7869..d832f6a8ba 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Deny log on as a batch job
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 943ab1c47e..22b448bed6 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Deny log on as a service
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 66c2308100..1ef7bc4a08 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Deny log on locally
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on locally** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index ad977d3239..2bc5898d13 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Deny log on through Remote Desktop Services
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on through Remote Desktop Services** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 67c1a1fd26..28361156ef 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -1,17 +1,12 @@
---
-title: Domain controller Allow server operators to schedule tasks (Windows 10)
+title: Domain controller Allow server operators to schedule tasks
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
-ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: itpro-security
@@ -20,7 +15,7 @@ ms.technology: itpro-security
# Domain controller: Allow server operators to schedule tasks
**Applies to**
-- Windows 10
+- Windows Server
Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index cc42ccd096..39803ce695 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -1,17 +1,12 @@
---
-title: Domain controller LDAP server signing requirements (Windows 10)
+title: Domain controller LDAP server signing requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
-ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: itpro-security
@@ -20,7 +15,7 @@ ms.technology: itpro-security
# Domain controller: LDAP server signing requirements
**Applies to**
-- Windows 10
+- Windows Server
This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index df6db377b5..63d863c555 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,17 +1,12 @@
---
-title: Refuse machine account password changes policy (Windows 10)
+title: Refuse machine account password changes policy
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
-ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017
@@ -20,7 +15,7 @@ ms.date: 12/31/2017
# Domain controller: Refuse machine account password changes
**Applies to**
-- Windows 10
+- Windows Server
Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index e1bc8ef4b9..6c8e9a5f36 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Enable computer and user accounts to be trusted for delegation
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Enable computer and user accounts to be trusted for delegation** security policy setting.
@@ -108,4 +109,4 @@ None. Not defined is the default configuration.
## Related topics
-- [User Rights Assignment](user-rights-assignment.md)
\ No newline at end of file
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index 47d87b0cef..8b13dfac68 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Force shutdown from a remote system
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Force shutdown from a remote system** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index be5d5caebf..ed57ea1a97 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Generate security audits
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Generate security audits** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index c4a613a542..e2a1861c80 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Impersonate a client after authentication
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Impersonate a client after authentication** security policy setting.
@@ -109,4 +110,4 @@ In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName ac
## Related topics
-- [User Rights Assignment](user-rights-assignment.md)
\ No newline at end of file
+- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 3c54eb33ec..0f79c38991 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Increase a process working set
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Increase a process working set** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 2c2e0bb890..5446601279 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Increase scheduling priority
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting.
@@ -89,4 +90,4 @@ None. Restricting the **Increase scheduling priority** user right to members of
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-- [Increase scheduling priority for Windows Server 2012 and earlier](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))
\ No newline at end of file
+- [Increase scheduling priority for Windows Server 2012 and earlier](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 32b2a60b44..c4c432757d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -1,47 +1,44 @@
---
-title: Interactive logon Require smart card - security policy setting (Windows 10)
-description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require smart card security policy setting.
-ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
+title: "Interactive logon: Require Windows Hello for Business or smart card"
+description: "Describes the best practices, location, values, policy management, and security considerations for the 'Interactive logon: Require Windows Hello for Business or smart card' security policy setting."
author: vinaypamnani-msft
+ms.author: vinpa
manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 04/19/2017
+ms.reviewer:
+ms.prod: windows-client
ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.date: 01/13/2023
---
-# Interactive logon: Require smart card - security policy setting
+# Interactive logon: Require Windows Hello for Business or smart card
**Applies to**
-- Windows 10
-Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.
+- Windows 11
+- Windows 10, version 1703 or later
+
+Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Windows Hello for Business or smart card** security policy setting.
> [!NOTE]
-> You may need to download the ADMX template for your version of Windows to enable this policy to be applied.
+> You may need to download the ADMX template for your version of Windows to apply this policy.
## Reference
-The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card.
+The **Interactive logon: Require Windows Hello for Business or smart card** policy setting requires users to sign in to a device by using a smart card or Windows Hello for Business method.
-Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This requirement reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller.
+Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This requirement reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it's nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to sign in must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it difficult to decrypt the traffic: even if they do, the next time the user signs in to the network, a new session key will be generated for encrypting traffic between the user and the domain controller.
### Possible values
-- Enabled
-- Disabled
-- Not defined
+- Enabled
+- Disabled
+- Not defined
### Best practices
-- Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users.
+- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md).
### Location
@@ -49,32 +46,32 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
-The following table lists the actual and effective default values for this policy, by server type or Group Policy Object (GPO). Default values are also listed on the policy's property page.
+The following table lists the actual and effective default values for this policy, by server type or group policy object (GPO). Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through group policy.
### Policy conflict considerations
None.
-### Group Policy
+### Group policy
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through GPOs. If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+This policy setting can be configured by using the group policy management console (GPMC) to be distributed through GPOs. If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the local security policy snap-in.
## Security considerations
@@ -86,13 +83,13 @@ It can be difficult to make users choose strong passwords, and even strong passw
### Countermeasure
-For users with access to computers that contain sensitive data, issue smart cards to users and configure the **Interactive logon: Require smart card** setting to Enabled.
+For users with access to computers that contain sensitive data, issue smart cards to users or configure Windows Hello for Business. Then configure the **Interactive logon: Require Windows Hello for Business or smart card** setting to Enabled.
-### Potential impact
+### Potential effect
-All users of a device with this setting enabled must use smart cards to log on locally. So the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because
-expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client.
+All users of a device with this setting enabled must use smart cards or a Windows Hello for Business method to sign in locally. The organization must have a reliable public key infrastructure (PKI), smart cards, and smart card readers for these users, or have enabled Windows Hello for Business. These requirements are significant challenges because expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client.
-## Related topics
+## Related articles
- [Security Options](security-options.md)
+- [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index 10425d576a..f0f4e5f932 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Load and unload device drivers
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Load and unload device drivers** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index ab91674f23..d7510658e7 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Lock pages in memory
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Lock pages in memory** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index c982a7ca78..bcdeda1852 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -22,6 +22,7 @@ ms.technology: itpro-security
# Log on as a batch job
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index 833a0d2eea..667a0885f7 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Log on as a service
**Applies to**
+- Windows 11
- Windows 10
This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index f19e322da5..0b62095cd7 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Manage auditing and security log
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Manage auditing and security log** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e446db45a1..e4f7c05351 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,17 +1,13 @@
---
-title: Microsoft network client Digitally sign communications (always) (Windows 10)
+title: Microsoft network client Digitally sign communications (always)
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
-ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
-ms.date: 06/28/2018
+ms.date: 01/13/2023
ms.technology: itpro-security
ms.topic: conceptual
---
@@ -19,12 +15,26 @@ ms.topic: conceptual
# Microsoft network client: Digitally sign communications (always)
**Applies to**
-- Windows 11
-- Windows 10
-- Windows Server
+
+- Windows 11
+- Windows 10
+- Windows Server
This article describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
+> [!NOTE]
+> This article is about the server message block (SMB) v2 and v3 protocols. SMBv1 isn't secure and has been deprecated in Windows. Starting with Windows 10, version 1709, and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
+
+> [!IMPORTANT]
+> Microsoft doesn't recommend using the following group policy settings:
+>
+> - **Microsoft network server: Digitally sign communications (if client agrees)**
+> - **Microsoft network client: Digitally sign communications (if server agrees)**
+>
+> Also don't use the **EnableSecuritySignature** registry settings.
+>
+> These options only affect the SMBv1 behavior. They can be effectively replaced by the **Digitally sign communications (always)** group policy setting or the **RequireSecuritySignature** registry setting.
+
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
@@ -35,22 +45,21 @@ Beginning with SMBv2 clients and servers, signing can be either *required* or *n
Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2.
-
-| | Server – required | Server – not required |
+| Client | Server - required | Server - not required |
|---------------------------|---------------------|------------------------|
-| **Client – required** | Signed | Signed |
-| **Client – not required** | Signed 1 | Not signed2 |
+| **Client - required** | Signed | Signed |
+| **Client - not required** | Signed 1 | Not signed2 |
1 Default for domain controller SMB traffic
2 Default for all other SMB traffic
-Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
+Performance of SMB signing is improved in SMBv2. For more information, see [Potential effect](#potential-effect).
### Possible values
-- Enabled
-- Disabled
+- Enabled
+- Disabled
### Best practice
@@ -62,16 +71,16 @@ Enable **Microsoft network client: Digitally sign communications (always)**.
### Default values
-The following table lists the default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the default values for this policy. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Disabled|
-| Default Domain Controller Policy | Disabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
+| Default Domain Policy| Disabled|
+| Default Domain Controller Policy | Disabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
@@ -98,10 +107,11 @@ Enable **Microsoft network client: Digitally sign communications (always)**.
> [!NOTE]
> An alternative countermeasure that could protect all network traffic is to implement digital signatures through IPsec. There are hardware-based accelerators for IPsec encryption and signing that can be used to minimize the performance impact on servers. No such accelerators are available for SMB signing.
-### Potential impact
+### Potential effect
Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater.
-## Related topics
+## Related articles
- [Security options](security-options.md)
+- [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 1162197765..131ca7ef0e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -21,6 +21,7 @@ ms.technology: itpro-security
# Microsoft network client: Send unencrypted password to third-party SMB servers
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index b5f65848a6..9b4f9c1021 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Microsoft network server: Amount of idle time required before suspending session
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index 12c009ce89..18eb849aa7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -20,7 +20,8 @@ ms.technology: itpro-security
# Microsoft network server: Attempt S4U2Self to obtain claim information
**Applies to**
-- Windows 10
+- Windows 11
+- Windows 10
Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 3ef631a76e..4685a285de 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -1,33 +1,43 @@
---
-title: Microsoft network server Digitally sign communications (always) (Windows 10)
+title: Microsoft network server Digitally sign communications (always)
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
-ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer:
manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 06/21/2018
+ms.prod: windows-client
ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.date: 01/13/2023
---
# Microsoft network server: Digitally sign communications (always)
**Applies to**
-- Windows 10
-- Windows Server
+
+- Windows 11
+- Windows 10
+- Windows Server
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
+> [!NOTE]
+> This article is about the server message block (SMB) v2 and v3 protocols. SMBv1 isn't secure and has been deprecated in Windows. Starting with Windows 10, version 1709, and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
+
+> [!IMPORTANT]
+> Microsoft doesn't recommend using the following group policy settings:
+>
+> - **Microsoft network server: Digitally sign communications (if client agrees)**
+> - **Microsoft network client: Digitally sign communications (if server agrees)**
+>
+> Also don't use the **EnableSecuritySignature** registry settings.
+>
+> These options only affect the SMBv1 behavior. They can be effectively replaced by the **Digitally sign communications (always)** group policy setting or the **RequireSecuritySignature** registry setting.
+
## Reference
-The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
+The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings can cause data access failure.
@@ -35,22 +45,21 @@ Beginning with SMBv2 clients and servers, signing can be either required or not
There's a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
-
-| | Server – Required | Server – Not Required |
+| Client | Server - Required | Server - Not Required |
|---------------------------|---------------------|------------------------|
-| **Client – Required** | Signed | Signed |
-| **Client – Not Required** | Signed 1 | Not Signed2 |
+| **Client - Required** | Signed | Signed |
+| **Client - Not Required** | Signed 1 | Not Signed2 |
1 Default for domain controller SMB traffic
2 Default for all other SMB traffic
-Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
+Performance of SMB signing is improved in SMBv2. For more information, see [Potential effect](#potential-effect).
### Possible values
-- Enabled
-- Disabled
+- Enabled
+- Disabled
### Best practices
@@ -58,20 +67,20 @@ Enable **Microsoft network server: Digitally sign communications (always)**.
### Location
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Disabled|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
+| Default Domain Controller Policy | Enabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
## Policy management
@@ -95,13 +104,14 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
Enable **Microsoft network server: Digitally sign communications (always)**.
->[!NOTE]
->An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+> [!NOTE]
+> An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
-### Potential impact
+### Potential effect
Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you're using a 1-GB Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater.
-## Related topics
+## Related articles
- [Security Options](security-options.md)
+- [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index 9af04189fa..02f163e1c5 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Microsoft network server: Disconnect clients when sign-in hours expire
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index e157b27f1e..21c41369f9 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Microsoft network server: Server SPN target name validation level
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 784db5fe09..f3d460e68c 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Modify an object label
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Modify an object label** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index 3f104ff095..ae4fa3457e 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Modify firmware environment values
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Modify firmware environment values** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index c3103f7be5..af493fdd5f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Allow anonymous SID/Name translation
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 36749adf40..5b7e0c66e6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Do not allow anonymous enumeration of SAM accounts
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index cd953a6928..a8ded6ea27 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Do not allow storage of passwords and credentials for network authentication
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index d4297e81d7..3ae0bff29a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Let Everyone permissions apply to anonymous users
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index beb39359bb..e570e96543 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Named Pipes that can be accessed anonymously
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index cf9c3cea63..6bebdb7c99 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Remotely accessible registry paths and subpaths
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index cf59a0d22f..1ca60361c7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Remotely accessible registry paths
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index 6f1e91f1b2..b9d02af2c4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Shares that can be accessed anonymously
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index 3feed8fa4d..01d1e937b2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network access: Sharing and security model for local accounts
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index 531f18f014..bdd1418a71 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Allow Local System to use computer identity for NTLM
**Applies to**
+- Windows 11
- Windows 10
Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index 4d47667005..2bd7b413bb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Allow LocalSystem NULL session fallback
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 08db95e10e..c317d27ae4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Allow PKU2U authentication requests to this computer to use online identities
**Applies to**
+- Windows 11
- Windows 10
This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index b0da8cc808..a9b0b1ae89 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,17 +1,12 @@
---
title: Network security Configure encryption types allowed for Kerberos
description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only.
-ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.collection:
- highpri
ms.topic: conceptual
@@ -22,7 +17,9 @@ ms.technology: itpro-security
# Network security: Configure encryption types allowed for Kerberos
**Applies to**
-- Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
+- Windows 11
+- Windows 10
+- Windows Server
Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
@@ -30,18 +27,18 @@ Describes the best practices, location, values, and security considerations for
This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it isn't selected, the encryption type won't be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted.
-For more information, see [article 977321](/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled) in the Microsoft Knowledge Base.
+For more information, see [KDC event ID 16 or 27 is logged if DES for Kerberos is disabled](/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled).
The following table lists and explains the allowed encryption types.
| Encryption type | Description and version support |
| - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. |
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. |
| Future encryption types| Reserved by Microsoft for other encryption types that might be implemented.|
### Possible values
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 463b054ea4..2f5d913958 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Do not store LAN Manager hash value on next password change
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 3e5f9a03b9..1999afcfbb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Force logoff when logon hours expire
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index aba0587774..e1585d602e 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -22,6 +22,7 @@ ms.technology: itpro-security
# Network security: LAN Manager authentication level
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 3c0032faf1..3fb085d04d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: LDAP client signing requirements
**Applies to**
+- Windows 11
- Windows 10
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index d0a7524fb4..aa708a1c42 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 022d167542..c53712c5e9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 09f6ccc2c7..c42e1f65c5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index 99e8c7a39f..86b0883198 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Add server exceptions in this domain
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index 4c15706058..8d99ff27a8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Audit incoming NTLM traffic
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 7bf8d5f15b..f0c1ef0a6c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,17 +1,12 @@
---
-title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10)
+title: Network security Restrict NTLM Audit NTLM authentication in this domain
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
-ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.date: 04/19/2017
ms.technology: itpro-security
@@ -20,7 +15,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Audit NTLM authentication in this domain
**Applies to**
-- Windows 10
+- Windows Server
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit NTLM authentication in this domain** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 2f02467243..968acbe1da 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Incoming NTLM traffic
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 33ff80fb70..61092a99fc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,17 +1,12 @@
---
-title: Network security Restrict NTLM in this domain (Windows 10)
+title: Network security Restrict NTLM in this domain
description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain.
-ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8
ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017
@@ -20,7 +15,7 @@ ms.date: 12/31/2017
# Network security: Restrict NTLM: NTLM authentication in this domain
**Applies to**
-- Windows 10
+- Windows Server
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 9037b9728c..375f27c55c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index 7b30d8f59c..60aa01ecc1 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Perform volume maintenance tasks
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Perform volume maintenance tasks** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index cde1362185..d0654f81aa 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Profile single process
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Profile single process** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index ecb01bb455..53ea9e3b07 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Profile system performance
**Applies to**
+- Windows 11
- Windows 10
This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the **Profile system performance** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 0980bf4469..c6dba7f1f4 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Recovery console: Allow automatic administrative logon
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index d7906353f2..e530ce19b8 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Recovery console: Allow floppy copy and access to all drives and folders
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index 57181925d6..0f15781757 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Remove computer from docking station - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Remove computer from docking station** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 5e9ee1c0f3..af5c5cc7df 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Replace a process level token
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Replace a process level token** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index d534fcedaa..a80d0249a1 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Restore files and directories - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Restore files and directories** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index b7b56bf6a8..a53ae544d8 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -1,17 +1,13 @@
---
-title: Security Options (Windows 10)
+title: Security options
description: Introduction to the Security Options settings of the local security policies plus links to more information.
-ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
-ms.date: 06/28/2018
+ms.date: 01/13/2023
ms.technology: itpro-security
ms.topic: conceptual
---
@@ -19,8 +15,9 @@ ms.topic: conceptual
# Security Options
**Applies to**
-- Windows 11
-- Windows 10
+
+- Windows 11
+- Windows 10
Provides an introduction to the **Security Options** settings for local security policies and links to more information.
@@ -34,75 +31,71 @@ For info about setting security policies, see [Configure security policy setting
| Article | Description |
| - | - |
-| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.|
-| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.|
-| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.|
+| [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.|
+| [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.|
+| [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.|
| [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. |
-| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy article for the IT professional describes the best practices, location, values, and security considerations for this policy setting.|
-| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.|
-| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.|
-| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.|
+| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy article for the IT professional describes the best practices, location, values, and security considerations for this policy setting.|
+| [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.|
+| [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.|
+| [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.|
| [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md) | Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. |
| [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)| Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. |
| [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. |
| [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)| Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. |
-| [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)| Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.|
-| [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) | Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.|
-| [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) | Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.|
+| [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)| Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting.|
+| [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) | Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting.|
+| [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) | Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting.|
| [Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) | Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. |
| [Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md)| Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. |
| [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. |
| [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)| Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. |
-| [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) | Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.|
+| [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) | Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.|
| [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) | Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. |
| [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. |
-| [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.|
-| [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.
+| [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.|
+| [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.|
| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
-| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.|
-| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.|
-| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.|
-| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
-| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|
+| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.|
+| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.|
+| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.|
+| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
+| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|
| [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. |
| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. |
| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. |
| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. |
| [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. |
-| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.|
-| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
+| [Interactive logon: Require Windows Hello for Business or smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Windows Hello for Business or smart card** security policy setting.|
+| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.|
| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. |
-| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. |
-| [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. |
| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. |
| [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. |
| [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. |
-| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.|
-| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.|
-| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. |
+| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.|
| [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. |
| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management, and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. |
-| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|
+| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.|
| [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. |
| [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. |
| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. |
| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. |
| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. |
-| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
+| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |
-| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.|
+| [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.|
| [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. |
| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. |
| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. |
| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. |
-| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: LAN Manager authentication level** security policy setting.|
+| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: LAN Manager authentication level** security policy setting.|
| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. |
| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. |
@@ -116,12 +109,12 @@ For info about setting security policies, see [Configure security policy setting
| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. |
| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. |
| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. |
-| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
+| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.|
| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. |
| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. |
| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. |
| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)** security policy setting. |
-| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.|
+| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.|
| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management, and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. |
| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. |
@@ -133,7 +126,7 @@ For info about setting security policies, see [Configure security policy setting
| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. |
| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. |
| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |
-
+
## Related articles
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index b2bd961eea..e238e91c99 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Shut down the system - security policy setting
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Shut down the system** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index 6fe3056930..e0fa746d50 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Shutdown: Allow system to be shut down without having to log on
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 4b773d0043..24a66f59c2 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Shutdown: Clear virtual memory pagefile
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
deleted file mode 100644
index 99e2eca53e..0000000000
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Always sign SMBv1 network client communications (Windows 10)
-description: Learn about best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always).
-ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 01/04/2019
-ms.technology: itpro-security
----
-
-# SMBv1 Microsoft network client: Digitally sign communications (always)
-
-**Applies to**
-- Windows 10
-
-This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
-
-The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md).
-
-## Reference
-
-The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
-This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
-
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
-
-If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
-
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
-
-[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
-
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
-- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-
-### Possible values
-
-- Enabled
-- Disabled
-- Not defined
-
-### Best practices
-
-1. Configure the following security policy settings as follows:
-
- - Disable **Microsoft network client: Digitally sign communications (always)**.
- - Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
-
-### Location
-
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
-
-### Default values
-
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-| Server type or GPO | Default value |
-| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
-## Policy management
-
-This section describes features and tools that are available to help you manage this policy.
-
-### Restart requirement
-
-None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
-
-## Security considerations
-
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-
-### Vulnerability
-
-Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
-
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place.
-
-### Countermeasure
-
-Configure the settings as follows:
-
-- Disable **Microsoft network client: Digitally sign communications (always)**.
-- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
-- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
->**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
-
-### Potential impact
-
-Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
-
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
-
-## Related topics
-
-- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
deleted file mode 100644
index b4ac13d05a..0000000000
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: SMBv1 Microsoft network client Digitally sign communications (if server agrees) (Windows 10)
-description: Best practices, location, values, and security considerations for the policy setting, Microsoft network client Digitally sign communications (if server agrees).
-ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 01/04/2019
-ms.technology: itpro-security
----
-# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
-
-**Applies to**
-- Windows 10
-
-This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
-
-The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-always.md).
-
-## Reference
-
-The Server Message Block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
-
-Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
-
-If server-side SMB signing is required, a client computer won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
-
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
-
-[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
-
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
-
-- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-
-### Possible values
-
-- Enabled
-- Disabled
-- Not defined
-
-### Best practices
-
- - Configure the following security policy settings as follows:
-
- - Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- - Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- - Enable **Microsoft Network Client: Digitally Sign Communications (If Server Agrees)**.
- - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
- - Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
-
-### Location
-
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
-
-### Default values
-
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-| Server type or GPO | Default value |
-| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
-## Policy management
-
-This section describes features and tools that are available to help you manage this policy.
-
-### Restart requirement
-
-None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
-
-## Security considerations
-
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-
-### Vulnerability
-
-Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so
-that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
-
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place.
-
-### Countermeasure
-
-Configure the settings as follows:
-
-- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
-- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
-- Enable **Microsoft network client: Digitally sign communications (if server agrees)**.
-- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
-> [!NOTE]
-> An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
-
-### Potential impact
-
-Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
-
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking
-attacks.
-
-## Related topics
-
-- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
deleted file mode 100644
index 45b7731eb7..0000000000
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: SMB v1 Microsoft network server Digitally sign communications (always) (Windows 10)
-description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
-ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 01/04/2019
-ms.technology: itpro-security
----
-
-# SMB v1 Microsoft network server: Digitally sign communications (always)
-
-**Applies to**
-- Windows 10
-
-This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
-
-The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. Fore more information, see [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-
-## Reference
-
-The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
-This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
-
-Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
-
-For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set won't be able to communicate with devices that don't have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
-
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
-
-[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
-
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
-
-- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-- [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
-
-### Possible values
-
-- Enabled
-- Disabled
-- Not defined
-
-### Best practices
-
-1. Configure the following security policy settings as follows:
-
- - Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- - Disable **Microsoft network server: Digitally sign communications (always)**.
- - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
- - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
-
-### Location
-
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
-
-### Default values
-
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-| Server type or GPO | Default value |
-| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Not defined|
-| Client Computer Effective Default Settings | Disabled|
-
-## Policy management
-
-This section describes features and tools that are available to help you manage this policy.
-
-### Restart requirement
-
-None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
-
-## Security considerations
-
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-
-### Vulnerability
-
-Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data.
-
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place.
-
-### Countermeasure
-
-Configure the settings as follows:
-
-- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
-- Disable **Microsoft network server: Digitally sign communications (always)**.
-- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-- Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md).
-
-In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
->**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
-
-### Potential impact
-
-Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
-
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks.
-
-## Related topics
-
-- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
deleted file mode 100644
index cf2feb9753..0000000000
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: SMBv1 Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
-description: Best practices, security considerations and more for the security policy setting, Microsoft network server Digitally sign communications (if client agrees).
-ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
-ms.reviewer:
-ms.author: vinpa
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 01/04/2019
-ms.technology: itpro-security
----
-
-# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
-
-**Applies to**
-- Windows 10
-
-This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows).
-
-The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-always.md).
-
-## Reference
-
-The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
-This policy setting determines whether SMB packet signing must be negotiated before further communication with the Server service is permitted.
-
-Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security.
-
-If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
-
-If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
-
-[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
-
-There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
-
-- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
-- [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
-- [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md)
-
-### Possible values
-
-- Enabled
-- Disabled
-- Not defined
-
-### Best practices
-
-1. Configure the following security policy settings as follows:
-
- - Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
- - Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- - Enable [Microsoft Network Client: Digitally Sign Communications (If Server Agrees)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
- - Enable **Microsoft Network Server: Digitally Sign Communications (If Client Agrees)**.
-
-2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client devices and prevent them from communicating with legacy SMB applications and operating systems.
-
-### Location
-
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
-
-### Default values
-
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-
-
-| Server type or GPO Default value |
-|--------------------------------------------|
-| Default Domain Policy |
-| Default Domain Controller Policy |
-| Stand-Alone Server Default Settings |
-| DC Effective Default Settings |
-| Member Server Effective Default Settings |
-| Client Computer Effective Default Settings |
-
-## Policy management
-
-This section describes features and tools that are available to help you manage this policy.
-
-### Restart requirement
-
-None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
-
-## Security considerations
-
-This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-
-### Vulnerability
-
-Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data.
-
-SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place.
-
-### Countermeasure
-
-Configure the settings as follows:
-
-- Disable [Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md).
-- Disable [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md).
-- Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md).
-- Enable **Microsoft network server: Digitally sign communications (if client agrees)**.
-
-In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
-
->**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
-
-### Potential impact
-
-SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
-
-Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks.
-
-## Related topics
-
-- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index f165400681..bfd1681088 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Synchronize directory service data
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Synchronize directory service data** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 8e1ac04319..8c12b88790 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System cryptography: Force strong key protection for user keys stored on the computer
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 86ed35f4ec..f8f1af1c61 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
**Applies to**
+- Windows 11
- Windows 10
This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.
@@ -121,4 +122,4 @@ uses the RDP protocol to communicate with servers that run Terminal Services and
## Related topics
-- [Security Options](security-options.md)
\ No newline at end of file
+- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index fb283fcb9b..e40e3772a0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System objects: Require case insensitivity for non-Windows subsystems
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index c4cc3fd368..3f5107710b 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index d287cf1d46..1634b509b2 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System settings: Optional subsystems
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 4d194b9586..cce46ae1bc 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# System settings: Use certificate rules on Windows executables for Software Restriction Policies
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 279eeced74..4010dae1ca 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# Take ownership of files or other objects
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Take ownership of files or other objects** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index 73b7ad213e..21d8236c79 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -19,9 +19,10 @@ ms.technology: itpro-security
# User Account Control: Admin Approval Mode for the Built-in Administrator account
**Applies to**
+- Windows 11
- Windows 10
-Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting.
+Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting.
## Reference
@@ -92,4 +93,4 @@ Enable the **User Account Control: Admin Approval Mode for the Built-in Administ
Users who sign in by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege.
## Related topics
-- [Security Options](/windows/device-security/security-policy-settings/security-options)
\ No newline at end of file
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 541ed662b6..f5fc92749b 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b573193466..ce19aa2735 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting.
@@ -113,4 +114,4 @@ Administrators should be made aware that they'll be prompted for consent when al
## Related topics
-- [Security Options](/windows/device-security/security-policy-settings/security-options)
\ No newline at end of file
+- [Security Options](/windows/device-security/security-policy-settings/security-options)
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index cc56752bf0..aa32f66540 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Behavior of the elevation prompt for standard users
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index 9a76eb60a7..57b797bc2c 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Detect application installations and prompt for elevation
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 5b94f9db23..674025df05 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Only elevate executables that are signed and validated
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index c181b31d00..8814018506 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Only elevate UIAccess applications that are installed in secure locations
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 28bcf3d293..a206b627a3 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Run all administrators in Admin Approval Mode
**Applies to**
+- Windows 11
- Windows 10
This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 3e92e84352..c0fb6ba1cc 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Switch to the secure desktop when prompting for elevation
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index fe36fcdd30..678f1180d6 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -20,6 +20,7 @@ ms.technology: itpro-security
# User Account Control: Virtualize file and registry write failures to per-user locations
**Applies to**
+- Windows 11
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 1404209dea..10b4f41000 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,15 +1,11 @@
---
title: How a Windows Defender System Guard helps protect Windows 10
description: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof. Learn how it works.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: aaroncz
ms.author: vinpa
search.appverid: met150
ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 03/01/2019
@@ -87,7 +83,15 @@ After the system boots, Windows Defender System Guard signs and seals these meas
## System requirements for System Guard
-|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
+This feature is available for the following processors:
+
+- Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon
+- AMD® processors starting with Zen2 or later silicon
+- Qualcomm® processors with SD850 or later chipsets
+
+### Requirements for Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon
+
+|Name|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
@@ -101,7 +105,9 @@ After the system boots, Windows Defender System Guard signs and seals these meas
|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by the correct production Intel® ACM signer for the platform
|
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-|For AMD® processors starting with Zen2 or later silicon|Description|
+### Requirements for AMD® processors starting with Zen2 or later silicon
+
+|Name|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
@@ -113,7 +119,9 @@ After the system boots, Windows Defender System Guard signs and seals these meas
|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
AMD® Secure Launch platforms must ship with AMD® DRTM driver devnode exposed and the AMD® DRTM driver installed
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled Platform must have AMD® Memory Guard enabled.|
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-|For Qualcomm® processors with SD850 or later chipsets|Description|
+### Requirements for Qualcomm® processors with SD850 or later chipsets
+
+|Name|Description|
|--------|-----------|
|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
|Monitor Mode Page Tables|All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory)
They must NOT have execute and write permissions for the same page
Platforms must only allow Monitor Mode pages marked as executable
The memory map must report Monitor Mode as EfiReservedMemoryType
Platforms must provide mechanism to protect the Monitor Mode page tables from modification
|
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 929c7d815b..f605793303 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -25,6 +25,9 @@ ms.topic: conceptual
This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
+> [!NOTE]
+> System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
+
## How to enable System Guard Secure Launch
You can enable System Guard Secure Launch by using any of these options: