diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 2b7f54801b..b04f01e727 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -23,8 +23,6 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
Compatible Surface devices include:
-- Surface Studio
-
- Surface Book
- Surface Pro 4
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 726fbd96c4..07cebcf161 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -14,6 +14,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## May 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings. |
+
## April 2017
| New or changed topic | Description |
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c4441efc3b..804d9de6f8 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -89,22 +89,22 @@ See the following table for a summary of the management settings for Windows 10
| [17.1 General](#bkmk-general) |  |  |  |  | |
| [17.2 Location](#bkmk-priv-location) |  |  |  |  | |
| [17.3 Camera](#bkmk-priv-camera) |  |  |  |  | |
-| [17.4 Microphone](#bkmk-priv-microphone) |  |  | |  | |
-| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
+| [17.4 Microphone](#bkmk-priv-microphone) |  |  |  |  | |
+| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
| [17.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
-| [17.7 Account info](#bkmk-priv-accounts) |  |  | |  | |
-| [17.8 Contacts](#bkmk-priv-contacts) |  |  | |  | |
-| [17.9 Calendar](#bkmk-priv-calendar) |  |  | |  | |
-| [17.10 Call history](#bkmk-priv-callhistory) |  |  | |  | |
-| [17.11 Email](#bkmk-priv-email) |  |  | |  | |
-| [17.12 Messaging](#bkmk-priv-messaging) |  |  | |  | |
-| [17.13 Radios](#bkmk-priv-radios) |  |  | |  | |
-| [17.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
+| [17.7 Account info](#bkmk-priv-accounts) |  |  |  |  | |
+| [17.8 Contacts](#bkmk-priv-contacts) |  |  |  |  | |
+| [17.9 Calendar](#bkmk-priv-calendar) |  |  |  |  | |
+| [17.10 Call history](#bkmk-priv-callhistory) |  |  |  |  | |
+| [17.11 Email](#bkmk-priv-email) |  |  |  |  | |
+| [17.12 Messaging](#bkmk-priv-messaging) |  |  |  |  | |
+| [17.13 Radios](#bkmk-priv-radios) |  |  |  |  | |
+| [17.14 Other devices](#bkmk-priv-other-devices) |  |  |  |  | |
| [17.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
-| [17.16 Background apps](#bkmk-priv-background) |  | | | | |
-| [17.17 Motion](#bkmk-priv-motion) |  |  | |  | |
-| [17.18 Tasks](#bkmk-priv-tasks) |  |  | |  | |
-| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  | |  | |
+| [17.16 Background apps](#bkmk-priv-background) |  |  |  | | |
+| [17.17 Motion](#bkmk-priv-motion) |  |  |  |  | |
+| [17.18 Tasks](#bkmk-priv-tasks) |  |  |  |  | |
+| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  |  |  | |
| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
| [19. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
| [20. Teredo](#bkmk-teredo) | |  | |  |  |
@@ -204,6 +204,7 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server
3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
+
On Windows Server 2016 Nano Server:
- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1.
@@ -308,7 +309,7 @@ To turn off Find My Device:
- Turn off the feature in the UI
- -or
+ -or-
- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
@@ -422,7 +423,11 @@ You can also use registry entries to set these Group Policies.
| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0|
| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
REG_DWORD:0 |
-To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**
+To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings**, and set it to **about:blank**.
+
+To configure the First Run Wizard, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Prevent running First Run wizard**, and set it to **Go directly to home page**.
+
+To configure the behavior for a new tab, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Specify default behavior for a new tab**, and set it to **about:blank**.
### 8.1 ActiveX control blocking
@@ -479,11 +484,14 @@ To prevent communication to the Microsoft Account cloud authentication service.
- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
-or-
+
- Create a REG\_DWORD registry setting called **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System!NoConnectedUser**, with a value of 3.
To disable the Microsoft Account Sign-In Assistant:
- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+- Change the Start REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
+
### 12. Microsoft Edge
@@ -521,7 +529,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin
| Policy | Registry path |
| - | - |
-| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **about:blank** |
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **no** |
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 |
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** |
| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
REG_DWORD: 0|
@@ -1004,7 +1012,15 @@ To turn off **Let apps use my microphone**:
- Set the **Select a setting** box to **Force Deny**.
- -or-
+ -or-
+
+- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two)
@@ -1026,6 +1042,14 @@ To turn off **Let apps access my notifications**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
-or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two)
@@ -1088,6 +1112,14 @@ To turn off **Let apps access my name, picture, and other account info**:
-or-
+- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
+
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
To turn off **Choose the apps that can access your account info**:
@@ -1108,6 +1140,14 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
### 17.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@@ -1124,6 +1164,14 @@ To turn off **Let apps access my calendar**:
-or-
+- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
+
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two).
To turn off **Choose apps that can access calendar**:
@@ -1144,7 +1192,15 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
- -or-
+ -or-
+
+ - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two).
@@ -1162,7 +1218,15 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
- -or-
+ -or-
+
+ - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two).
@@ -1182,6 +1246,14 @@ To turn off **Let apps read or send messages (text or MMS)**:
-or-
+- Apply the Privacy/LetAppsAccess17.17 Motion
In the **Motion** area, you can choose which apps have access to your motion data.
@@ -1350,6 +1447,14 @@ To turn off **Let Windows and your apps use your motion data and collect motion
-or-
+- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+ -or-
+
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two).
### 17.18 Tasks
@@ -1366,6 +1471,14 @@ To turn this off:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
### 17.19 App Diagnostics
In the **App diagnostics** area, you can choose which apps have access to your diagnostic information.
@@ -1378,6 +1491,15 @@ To turn this off:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+ -or-
+
+- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where:
+
+ - **0**. User in control
+ - **1**. Force allow
+ - **2**. Force deny
+
+
### 18. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
@@ -1563,7 +1685,7 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
-or-
- - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
+- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
@@ -1591,7 +1713,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
> This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one).
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
-or-
@@ -1599,9 +1721,9 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
- -or-
+ -or-
- - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
For more info, see [Windows Spotlight on the lock screen](windows-spotlight.md).
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 0963cb7037..183bf2bd6b 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -27,7 +27,7 @@ localizationpriority: high
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
+Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: