diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index e115963c4d..9ee61b0ad6 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -7647,7 +7647,7 @@
 },
 {
 "source_path": "windows/manage/manage-corporate-devices.md",
-"redirect_url": "/windows/client-management/manage-corporate-devices",
+"redirect_url": "/windows/client-management/index",
 "redirect_document_id": true
 },
 {
diff --git a/bcs/index.md b/bcs/index.md
index d877efe94f..01f7f2e27b 100644
--- a/bcs/index.md
+++ b/bcs/index.md
@@ -4,6 +4,7 @@ hide_bc: true
 author: CelesteDG
 ms.author: celested
 ms.topic: hub-page
+ms.localizationpriority: high
 audience: microsoft-business 
 title: Microsoft 365 Business documentation and resources
 description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners.
@@ -12,7 +13,7 @@ description: Learn about the product documentation and resources available for M
     <div class="container">
         <ul class="cardsY panelContent featuredContent">
             <li>
-                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
                     <div class="cardSize">
                         <div class="cardPadding">
                             <div class="card">
@@ -30,7 +31,7 @@ description: Learn about the product documentation and resources available for M
                 </a>
             </li>
             <li>
-                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
+                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
                     <div class="cardSize">
                         <div class="cardPadding">
                             <div class="card">
@@ -40,7 +41,7 @@ description: Learn about the product documentation and resources available for M
                                     </div>
                                 </div>
                                 <div class="cardText">
-                                    <span class="likeAnH3">For Partners and IT admins:<br />Get Started with Microsoft 365 Business</span>
+                                    <span class="likeAnH3">For Partners and IT admins:<br />Get started with Microsoft 365 Business</span>
                                 </div>
                             </div>
                         </div>
@@ -56,7 +57,7 @@ description: Learn about the product documentation and resources available for M
                 <a href="#partner-it">Partner/IT admin</a>
                 <ul id="partner-it">
                     <li>
-                        <a data-default="true" href="#getstarted">Get Started</a>
+                        <a data-default="true" href="#getstarted">Get started</a>
                         <ul id="getstarted" class="cardsC">
                             <li class="fullSpan">
                                 <div class="container intro">
@@ -64,7 +65,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -74,8 +75,8 @@ description: Learn about the product documentation and resources available for M
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>Learn about Microsoft 365 Business</h3>
-                                                    <p>Want to learn more about Microsoft 365 Business? Start here.</p>
+                                                    <h3>Why Microsoft 365 Business?</h3>
+                                                    <p>Learn how Microsoft 365 Business can empower your team, safeguard your business, and simplify IT management with a single solution.</p>
                                                 </div>
                                             </div>
                                         </div>
@@ -83,7 +84,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="support/microsoft-365-business-faqs.md">
+                                <a href="support/microsoft-365-business-faqs.md" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -102,7 +103,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
+                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -131,7 +132,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce">
+                                <a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -150,7 +151,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e">
+                                <a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -179,7 +180,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804">
+                                <a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -198,7 +199,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46">
+                                <a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -217,7 +218,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">
+                                <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -236,7 +237,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">
+                                <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -265,7 +266,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d">
+                                <a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -284,7 +285,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99">
+                                <a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -332,7 +333,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="#">
+                                <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -342,8 +343,8 @@ description: Learn about the product documentation and resources available for M
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>Identity migration</h3>
-                                                    <p>Got on-premises AD and plan to move your organization’s identity management to the cloud? Do a one-time sync using <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">Azure AD Connect</a>, or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
+                                                    <h3>Identity migration with Azure AD Connect</h3>
+                                                    <p>Got on-premises AD and plan to move your organization’s identity management to the cloud? Do a one-time sync using Azure AD Connect.<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
                                                 </div>
                                             </div>
                                         </div>
@@ -351,7 +352,26 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
+                                <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Identity migration with minimal hybrid migration</h3>
+                                                    <p>Or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using minimal hybrid migration.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -380,7 +400,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://www.microsoft.com/solution-providers/search">
+                                <a href="https://www.microsoft.com/solution-providers/search" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -398,6 +418,25 @@ description: Learn about the product documentation and resources available for M
                                     </div>
                                 </a>
                             </li>
+                            <li>
+                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support" target="_blank">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Technical Support</h3>
+                                                    <p>Submit a technical support request for Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li> 
                             <li>
                                 <a href="#">
                                     <div class="cardSize">
@@ -416,26 +455,7 @@ description: Learn about the product documentation and resources available for M
                                         </div>
                                     </div>
                                 </a>
-                            </li>
-                            <li>
-                                <a href="#">
-                                    <div class="cardSize">
-                                        <div class="cardPadding">
-                                            <div class="card">
-                                                <div class="cardImageOuter">
-                                                    <div class="cardImage bgdAccent1">
-                                                        <img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
-                                                    </div>
-                                                </div>
-                                                <div class="cardText">
-                                                    <h3>Microsoft Technical Support - Coming soon</h3>
-                                                    <p>Submit a technical support request for Microsoft 365 Business.</p>
-                                                </div>
-                                            </div>
-                                        </div>
-                                    </div>
-                                </a>
-                            </li>                           
+                            </li>                          
                         </ul>
                     </li>
                     <li>
@@ -468,7 +488,7 @@ description: Learn about the product documentation and resources available for M
                             </li>
                             -->
                             <li>
-                                <a href="https://docs.microsoft.com/windows">
+                                <a href="https://docs.microsoft.com/en-us/windows/windows-10/" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -479,7 +499,7 @@ description: Learn about the product documentation and resources available for M
                                                 </div>
                                                 <div class="cardText">
                                                     <h3>Windows 10</h3>
-                                                    <p>Learn more about Windows 10.</p>
+                                                    <p>Find out what's new, how to apply custom configurations to devices, managing apps, deployment, and more.</p>
                                                 </div>
                                             </div>
                                         </div>
@@ -487,7 +507,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://msdn.microsoft.com/partner-center/autopilot">
+                                <a href="https://msdn.microsoft.com/partner-center/autopilot" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -516,7 +536,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec">
+                                <a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -535,7 +555,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207">
+                                <a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -575,7 +595,7 @@ description: Learn about the product documentation and resources available for M
                             </li>
                             -->
                             <li>
-                                <a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f">
+                                <a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -594,7 +614,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c">
+                                <a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -613,7 +633,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896">
+                                <a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -632,7 +652,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40">
+                                <a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -651,7 +671,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91">
+                                <a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -690,7 +710,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc">
+                                <a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -709,9 +729,9 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7">
+                                <a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7" target="_blank">
                                     <div class="cardSize">
-                                        <div class="cardPadding">
+                                        <div class="cardPadding"> 
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1">
@@ -728,7 +748,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -747,7 +767,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://support.office.com/article/c654bd23-d256-4ac7-8fba-0c993bf5a771">
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -776,7 +796,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="http://support.office.com">
+                                <a href="http://support.office.com" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -795,7 +815,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="http://support.microsoft.com/products/windows">
+                                <a href="http://support.microsoft.com/products/windows" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -829,7 +849,7 @@ description: Learn about the product documentation and resources available for M
                                 </div>
                             </li>
                             <li>
-                                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -848,7 +868,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="support/microsoft-365-business-faqs.md">
+                                <a href="support/microsoft-365-business-faqs.md" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -867,7 +887,7 @@ description: Learn about the product documentation and resources available for M
                                 </a>
                             </li>
                             <li>
-                                <a href="https://www.microsoft.com/solution-providers/search">
+                                <a href="https://www.microsoft.com/solution-providers/search" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
index 7f9d9778a9..9626e4deb5 100644
--- a/bcs/support/microsoft-365-business-faqs.md
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -5,9 +5,10 @@ author: CelesteDG 
 ms.author: celested 
 ms.topic: article 
 ms.prod: microsoft-365-business
+ms.localizationpriority: high
 audience: microsoft-business 
 keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
-ms.date: 07/10/2017
+ms.date: 08/04/2017
 ---
 
 # Microsoft 365 Business Frequently Asked Questions
@@ -147,7 +148,7 @@ Who has access to the Microsoft 365 Business preview?
 The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
 
 I’m an existing Office 365 customer. Can I access the Microsoft 365 Business preview? 
---------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------
 
 Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
 
@@ -185,8 +186,9 @@ Is there any charge for the Microsoft 365 Business preview?
 No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
 
 I’m an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
+------------------------------------------------------------------------------------------------------------------------------------------
 
-Customers will continue to be charged for any active Office 365 plan to which they are subscribed.
+The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
 
 What is the best way to deploy Microsoft 365 Business in my organization? 
 --------------------------------------------------------------------------
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index b79f14ce2b..3f4d25d63c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,13 +1,15 @@
 ---
-ms.localizationpriority: low
+title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
+description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
+ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
+ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
-description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
-author: eross-msft
-ms.prod: ie11
-ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
-title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+ms.localizationpriority: low
 ---
 
 
@@ -23,7 +25,7 @@ ms.sitesec: library
 
 You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
 
-The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance.
+The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
 
 **How Internet Explorer 11 looks for an updated site list**
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png
index e386b956fc..14079ffd7c 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png
index dd547ed5f2..3c32b1af1a 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png and b/browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 41c029dc92..fbf438a035 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,13 +1,20 @@
 ---
-ms.localizationpriority: low
+title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
+description: How to turn on Enterprise Mode and specify a site list.
+ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
+ms.prod: ie11
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
-description: How to turn on Enterprise Mode and specify a site list.
-author: eross-msft
-ms.prod: ie11
-ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
-title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+ms.localizationpriority: low
+
+
+
+
+
 ---
 
 
@@ -23,8 +30,8 @@ ms.sitesec: library
 
 Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser.
 
-**Note**<br>
-We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employee’s computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
+>[!NOTE]
+>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
 
  **To turn on Enterprise Mode using Group Policy**
 
@@ -45,7 +52,7 @@ Turning this setting on also requires you to create and store a site list. For m
 
     ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
 
-    -   **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"`
+    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
     -   **Local network:** `"SiteList"="\\network\shares\sites.xml"`
 
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 82d3fea1ab..193a5d5235 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 08/17/2017
 ms.localizationpriority: medium
 ---
 
@@ -24,7 +24,6 @@ The full list of accessibility settings are available to IT admins in the **Sett
 
 | Accessibility feature | Default settings  |
 | --------------------- | ----------------- |
-| Narrator              | Off               |
 | Magnifier             | Off               |
 | High contrast         | No theme selected |
 | Closed captions       | Defaults selected for Font and Background and window |
@@ -32,6 +31,17 @@ The full list of accessibility settings are available to IT admins in the **Sett
 | Mouse                 | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. |
 | Other options         | Defaults selected for **Visual options** and **Touch feedback**. |
 
+The accessibility feature Narrator is not available in the **Settings** app. By default, Narrator is turned off. To change the default settings for Narrator, perform the following steps using a keyboard and mouse.
+
+1. Dismiss the Welcome screen.
+2. Open **Quick Actions** > **Ease of Access** from the status bar.
+
+    ![Screenshot of Ease of Access tile](images/ease-of-access.png)
+    
+3. Turn Narrator on.
+4. Click **Task Switcher**.
+5. Select **Narrator Settings** from Task Switcher. You can now edit the default Narrator settings.
+
 Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md):
 - Narrator
 - Magnifier
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 85672ae9d4..308ce30051 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -1,6 +1,6 @@
 ---
 title: PowerShell for Surface Hub (Surface Hub)
-description: PowerShell scripts to help set up and manage your Microsoft Surface Hub .
+description: PowerShell scripts to help set up and manage your Microsoft Surface Hub.
 ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
 keywords: PowerShell, set up Surface Hub, manage Surface Hub
 ms.prod: w10
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 08/16/2017
 ms.localizationpriority: medium
 ---
 
@@ -465,7 +465,7 @@ PrintAction "Configuring password not to expire..."
 Start-Sleep -s 20
 try 
 {
-    Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true
+    Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true
 }
 catch
 {
@@ -1243,7 +1243,7 @@ if (!$fExIsOnline)
 }
 
 
-$strAlias = $mailbox.Alias
+$strAlias = $mailbox.UserPrincipalName
 $strDisplayName = $mailbox.DisplayName
 
 $strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null
@@ -1424,7 +1424,7 @@ if ($fHasOnPrem)
     else
     {
         #AD User enabled validation
-        $accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
+        $accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
     }
     $strOnPremUpn = $accountOnPrem.UserPrincipalName
     Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user"
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 851d7d7624..60353013ed 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 08/17/2017
 ms.localizationpriority: medium
 ---
 
@@ -16,6 +16,13 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## August 2017
+
+New or changed topic | Description 
+--- | --- 
+[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
+
+
 ## July 2017
 
 | New or changed topic | Description |
diff --git a/devices/surface-hub/images/ease-of-access.png b/devices/surface-hub/images/ease-of-access.png
new file mode 100644
index 0000000000..2cb79254f8
Binary files /dev/null and b/devices/surface-hub/images/ease-of-access.png differ
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 81b542527e..b171da8675 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -1,6 +1,6 @@
 ---
 title: Miracast on existing wireless network or LAN
-description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
+description: Windows 10 enables you to send a Miracast stream over a local network.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -32,13 +32,15 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
 
 ## Enabling Miracast over Infrastructure 
 
-If you have a Surface Hub that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 
-- The Surface Hub needs to be running Windows 10, version 1703.
-- The Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
-- The DNS Hostname (device name) of the Surface Hub needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
+- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
+- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
 - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
-- PCs need to be running Windows 10, version 1703.
+
 
 It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
 
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 892a1a31a4..7346763936 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
 
 A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
 
-After you've created your device account, there are a couple of ways to verify that it's setup correctly.
-- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
-- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
+After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. 
+
  
 
 ## Prepare for first-run program 
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index bcbb474550..699111447d 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
 | --- | ---- |
 | [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md)  | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
 | [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
 
 ## June 2017
 
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5aea9119f6..e1c9c918d3 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -9,7 +9,7 @@ ms.pagetype: edu
 ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
-ms.date: 07/28/2017
+ms.date: 08/07/2017
 ---
 
 # Take a Test app technical reference 
@@ -51,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
 | AllowCortana | Disables Cortana functionality | 0 |
 | AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
 
+## Group Policy
+
+To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
+
+| Functionality | Group Policy path | Policy |
+| --- | --- | --- |
+| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
+| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
+| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
+| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
+| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
+
 ## Allowed functionality
 
 When Take a Test is running, the following functionality is available to students:
@@ -75,26 +87,6 @@ When Take a Test is running, the following functionality is available to student
     - Ctrl+Alt+Del 
     - Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
 
-## Policies
-
-If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
-
-**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
-**Group Policy name:** Do not display the lock screen <br />
-**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
-**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
- 
-```
-<policy name="CPL_Personalization_NoLockScreen" class="Machine"
-        displayName="$(string.CPL_Personalization_NoLockScreen)"
-        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
-        key="Software\Policies\Microsoft\Windows\Personalization"
-        valueName="NoLockScreen">
-  <parentCategory ref="Personalization" />
-  <supportedOn ref="windows:SUPPORTED_Windows8" />
-</policy>
-```
-
 
 ## Learn more
 
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 70c9420c31..f84864aaaf 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
-ms.date: 08/01/2017
+ms.date: 08/07/2017
 ---
 
 # Test Windows 10 S on existing Windows 10 education devices
@@ -77,8 +77,36 @@ Make sure all drivers are installed and working properly on your device running
 
 Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer. 
 
+<!--
+|   |   |   |
+| - | - | - |
+| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
+| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
+| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
+| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
+| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
+| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
+| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
+| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
+| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
+-->
+
+|   |   |   |
+| - | - | - |
+| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
+| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
+| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
+| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | 
+| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | 
+| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> |
+| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
+| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
+| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | 
+| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
+
+
 > [!NOTE]
-> We'll update this section with more information so check back again soon.
+> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
 
 <!--
 * [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
@@ -172,7 +200,6 @@ To use an installation media to reinstall Windows 10, follow these steps.
 Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. 
 
 When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
-<!-- download the Windows 10 S installer from [this Microsoft website](https://go.microsoft.com/fwlink/?linkid=853240). -->
 
 > [!div class="nextstepaction" style="center"]
 > [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 21e94929b9..ca1953e1e0 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -233,7 +233,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
       ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
 
-11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
+11. <a name="suspc_pkgready"></a>When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
 
   **Figure 9** - Provisioning package is ready
 
@@ -246,7 +246,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
   ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
 
 13. Click **Next**.
-14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
+14. <a name="suspc_installpkg"></a>In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs. 
 
   Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
 
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index bfe000fee3..574338d185 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
         [ SMS_Report (TRUE) ]
         Boolean     IsAutoUnlockEnabled;
     };
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
 
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
         string    EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index 832f226de7..bef23c5b02 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     //===================================================
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
@@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [DYNPROPS]
     Class Win32Reg_MBAMPolicy_64
     {
@@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 955e447800..0b9807c98b 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -21,6 +21,7 @@
 ### [Manage private store settings](manage-private-store-settings.md)
 ### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
 ### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
+### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
 ## [Device Guard signing portal](device-guard-signing-portal.md)
 ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
 ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
index 379618509a..062c2dbeef 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-windows-store-for-business.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+ms.author: TrudyHa
+ms.date: 06/29/2017
 ---
 
 # App inventory management for Microsoft Store for Business and Education
@@ -165,4 +167,16 @@ You can download offline-licensed apps from your inventory. You'll need to downl
 
 For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
 
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
+
+## Manage products programmatically 
+
+Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business). 
+
+You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to:
+- View items in inventory (**Apps & software**)
+- Manage licenses - assigning and removing
+- Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
+
+> [!NOTE]
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.  
\ No newline at end of file
diff --git a/store-for-business/images/lob-sku.png b/store-for-business/images/lob-sku.png
new file mode 100644
index 0000000000..8637fd3f3d
Binary files /dev/null and b/store-for-business/images/lob-sku.png differ
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
new file mode 100644
index 0000000000..b36cf701fa
--- /dev/null
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -0,0 +1,155 @@
+---
+title: Microsoft Store for Business and Education PowerShell module - preview
+description: Preview version of PowerShell module 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+localizationpriority: high
+ms.author:
+ms.date:  
+---
+
+# Microsoft Store for Business and Education PowerShell module - preview
+
+**Applies to**
+-   Windows 10
+
+Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
+
+> [!NOTE]
+> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+You can use the PowerShell module to:
+- View items you've purchased - shown in **Apps & software**
+- Manage licenses - assigning and removing
+- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
+
+>[!NOTE]
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+
+## Requirements
+To use the Microsoft Store for Business and Education PowerShell module, you'll need:
+- Administrator permission for the device
+- Admin role for Microsoft Store for Business and Education
+
+
+## Get started with Microsoft Store for Business and Education PowerShell module
+All of the **Microsoft Store for Business and Education** PowerShell cmdlets follow the *Verb*-MSStore*Noun* pattern to clearly indicate that they work with **Microsoft Store for Business and Education** PowerShell module. You will need to install the module on your Windows 10 device once and then import it into each PowerShell session you start.
+
+## Install Microsoft Store for Business and Education PowerShell module
+> [!NOTE]
+> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
+
+To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
+
+```powershell
+# Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
+
+Install-Module -Name MSStore 
+
+``` 
+
+## Import MIcrosoft Store for Business and Education PowerShell module into the PowerShell session
+Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start.
+
+```powershell
+# Import the MSStore module into this session
+
+Import-Module -Name MSStore
+
+```
+
+Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module. 
+
+To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant.
+
+```powershell
+# Grant MSStore Access to your Microsoft Store for Business and Education
+
+Grant-MSStoreClientAppAccess
+
+```
+You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
+
+## View items in Products and Services
+Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. 
+
+```powershell
+# View items in inventory (Apps & software)
+
+Get-MSStoreInventory
+
+```
+
+>[!TIP]
+>**Get-MSStoreInventory** won't return the product name for line-of-business apps. To get the product ID and SKU for a line-of-business app:
+>
+>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
+>2. Click **Manage** and then choose **Apps & software**.
+>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
+>![Url after apps/ is product id and next is SKU](images/lob-sku.png)
+
+## View people assigned to a product
+Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
+
+```powershell
+# View products assigned to people
+
+Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
+
+```
+
+> [!Important]
+> Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs.
+ 
+
+| License Type | Product ID | SKU ID |
+| ------------ | -----------| -------|
+| Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 |
+| Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 |
+| Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 |
+| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 |  	 	
+
+## Assign or reclaim products
+Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org. 
+
+These commands assign a product to a user and then reclaim it.
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+```
+
+## Assign or reclaim a product with a .csv file
+You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. 
+
+**To assign or reclaim seats in bulk:**
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv  -ColumnName UserPrincipalName
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
+
+```
+
+## Uninstall Microsoft Store for Business and Education PowerShell module
+You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command. 
+
+```powershell
+# Uninstall the MSStore Module
+
+Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
+
+```
\ No newline at end of file
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index 32d008321d..ed0904b3ee 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -18,6 +18,13 @@ ms.localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
+
+
 ## June 2017
 | New or changed topic | Description |
 | -------------------- | ----------- |
diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md
index 4b54894c21..01efb97d0a 100644
--- a/windows/access-protection/access-control/microsoft-accounts.md
+++ b/windows/access-protection/access-control/microsoft-accounts.md
@@ -14,20 +14,12 @@ ms.pagetype: security
 
 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
 
-Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
+Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
 
-There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
-
-When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
-
-**Note**  
-This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
-
- 
+When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
 
 ## <a href="" id="bkmk-benefits"></a>How a Microsoft account works
 
-
 The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
 
 When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti
 **Important**  
 Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
 
- 
-
 ### How Microsoft accounts are created
 
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
+To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
 
-Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
+Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
 
 There are two methods for creating a Microsoft account:
 
 -   **Use an existing email address**.
 
-    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
+    Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
 
 -   **Sign up for a Microsoft email address**.
 
@@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
 
 ### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
 
-If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
 
-The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
+- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
+- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
 
-1.  Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+#### Block all consumer Microsoft account user authentication
 
-2.  Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
+This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
+
+If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. 
+This applies both to existing users of a device and new users who may be added. 
+
+However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. 
+It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
+
+If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. 
+By default, this setting is **Disabled**.
+
+This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
+
+The path to this setting is:
+
+Computer Configuration\Administrative Templates\Windows Components\Microsoft account
+
+#### Accounts: Block Microsoft accounts
+
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
+
+There are two options if this setting is enabled:
+
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
+
+This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
+
+By default, this setting is **Not defined**.
+
+The path to this setting is:
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
 
 ### <a href="" id="bkmk-cfgconnectedaccounts"></a>Configure connected accounts
 
@@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a
 **Note**  
 Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
 
- 
-
 ### <a href="" id="bkmk-provisionaccounts"></a>Provision Microsoft accounts in the enterprise
 
 Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
diff --git a/windows/access-protection/change-history-for-access-protection.md b/windows/access-protection/change-history-for-access-protection.md
index 84f9f86663..98eb8cc435 100644
--- a/windows/access-protection/change-history-for-access-protection.md
+++ b/windows/access-protection/change-history-for-access-protection.md
@@ -11,6 +11,11 @@ author: brianlic-msft
 # Change history for access protection
 This topic lists new and updated topics in the [Access protection](index.md) documentation.
 
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
+
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index b9dd345053..2241fb465d 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -33,25 +33,13 @@ The following known issues have been fixed by servicing releases made available
     - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
     - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
 
+## Known issues involving third-party applications
 
+The following issue affects the Java GSS API. See the following Oracle bug database article: 
 
+-	[JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
 
 
 The following issue affects Cisco AnyConnect Secure Mobility Client:
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index 67a4d93402..79307f8a3e 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -100,15 +100,6 @@ You can also enable Credential Guard by using the [Device Guard and Credential G
 DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
 ```
 
-### Credential Guard deployment in virtual machines
-
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
-
-#### Requirements for running Credential Guard in Hyper-V virtual machines
-
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
-
 ### Review Credential Guard performance
 
 **Is Credential Guard running?**
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 789d0e690d..443e6e1167 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -35,6 +35,19 @@ The Virtualization-based security requires:
 - CPU virtualization extensions plus extended page tables
 - Windows hypervisor
 
+### Credential Guard deployment in virtual machines 
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
+
+#### Requirements for running Credential Guard in Hyper-V virtual machines
+
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. 
+
+For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
+
+For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
+
 ## Application requirements
 
 When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
diff --git a/windows/access-protection/credential-guard/images/credguard-gp.png b/windows/access-protection/credential-guard/images/credguard-gp.png
index 8c91b114df..827121f0fc 100644
Binary files a/windows/access-protection/credential-guard/images/credguard-gp.png and b/windows/access-protection/credential-guard/images/credguard-gp.png differ
diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md
index 84a8935184..104805b446 100644
--- a/windows/access-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/access-protection/hello-for-business/hello-planning-guide.md
@@ -127,11 +127,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
 
 ### Public Key Infrastructure
 
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
 
 ### Cloud
 
-Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
 
 ## Planning a Deployment
 
@@ -188,7 +188,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in
 
 If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
 
 ### Multifactor Authentication
 
@@ -204,13 +204,13 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o
 
 You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
   
-If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
+If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
 
 You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
 
 Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory.  The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
 
-The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication.  If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
+The last option is for you to use AD FS with a third-party adapter as the second factor of authentication.  If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
 
 If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options.  You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. 
 
@@ -261,7 +261,7 @@ Review the trust type portion of this section if box **4d** on your planning wor
 
 ### Public Key Infrastructure
 
-Public key infrastructure prerequisites already exist on your planning worksheet.  These conditions are the minimum requirements for any hybrid our on-premises deployment.  Additional conditions may be needed based on your trust type.
+Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment.  Additional conditions may be needed based on your trust type.
 
 If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet.  Cloud only deployments do not use a public key infrastructure.
 
diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md
index 0ae8111073..b53a7213e7 100644
--- a/windows/access-protection/remote-credential-guard.md
+++ b/windows/access-protection/remote-credential-guard.md
@@ -47,12 +47,15 @@ Use the following table to compare different security options for Remote Desktop
 
 ## Hardware and software requirements
 
-The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
+To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements: 
 
-- They must be joined to an Active Directory domain
-    - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
-- They must use Kerberos authentication.
-- They must be running at least Windows 10, version 1607 or Windows Server 2016.
+- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
+
+> [!NOTE]
+> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
+
+- For Remote Credential Guard to be supported, the user must  authenticate to the remote host using Kerberos authentication
+- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
 - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
 
 ## Enable Remote Credential Guard
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 1a3cdacf44..5c764b532e 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -100,5 +100,5 @@
 #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
 ## [Service Host process refactoring](svchost-service-refactoring.md)
-## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
+## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
 ## [Change history for Application management](change-history-for-application-management.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index 7bef51c2dd..92e5039334 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -18,6 +18,6 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 | New or changed topic | Description |
 | --- | --- |
 | [Service Host process refactoring](svchost-service-refactoring.md) | New |
-| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
 
 
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index 4c1cd713d1..d6c32fbe93 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
 **Applies to**
 -   Windows 10
 
-Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
 
 
 | Topic | Description |
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 40c24a2981..ffe541cc15 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -7,6 +7,7 @@
 ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md)
 ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
+## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
 ## [Mobile device management for solution providers](mdm/index.md)
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 68debeba89..fa02e99977 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind
 | Topic | Description |
 |---|---|
 |[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.|
-|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
-|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
-|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
-|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones |
-|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
-|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.|
+|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)|
+|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.|
 |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10|
+|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions|
+| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. |
 |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
-|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
+|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs|
+|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
 |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
 |[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
 |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |
\ No newline at end of file
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 4dbf9db55b..2d6046fef1 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -6,6 +6,7 @@
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
 ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
+## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
 ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
 ## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
 ## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
@@ -199,10 +200,12 @@
 #### [ErrorReporting](policy-csp-errorreporting.md)
 #### [EventLogService](policy-csp-eventlogservice.md)
 #### [Experience](policy-csp-experience.md)
+#### [ExploitGuard](policy-csp-exploitguard.md)
 #### [Games](policy-csp-games.md)
 #### [InternetExplorer](policy-csp-internetexplorer.md)
 #### [Kerberos](policy-csp-kerberos.md)
 #### [Licensing](policy-csp-licensing.md)
+#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
 #### [Location](policy-csp-location.md)
 #### [LockDown](policy-csp-lockdown.md)
 #### [Maps](policy-csp-maps.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 8f7f3dd2f0..7564c89e41 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # AppLocker CSP
@@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
 
  
 
-## Whitelist example
+## Whitelist examples
 
+The following example disables the calendar application.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+    <SyncBody>
+        <Add>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Target>
+                    <LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
+                </Target>
+                <Meta>
+                    <Format xmlns="syncml:metinf">chr</Format>
+                    <Type xmlns="syncml:metinf">text/plain</Type>
+                </Meta>
+                <Data>&lt;AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"&gt;&lt;Deny&gt;&lt;App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/&gt;&lt;/Deny&gt;&lt;/AppPolicy&gt;
+                </Data>
+            </Item>
+        </Add>
+        <Final/>
+    </SyncBody>
+</SyncML>
+```
+
+The following example blocks the usage of the map application.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Add>
+      <CmdID>$CmdID$</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>
+            &lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
+                &lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
+                    &lt;Conditions&gt;
+                    &lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
+                    &lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
+                    &lt;/FilePublisherCondition&gt;
+                    &lt;/Conditions&gt;
+                &lt;/FilePublisherRule&gt;
+
+                &lt;FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
+                  &lt;Conditions&gt;
+                    &lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
+                  &lt;/Conditions&gt;
+                &lt;/FilePublisherRule&gt;
+                
+            &lt;/RuleCollection&gt;
+        </Data>
+      </Item>
+    </Add>
+   <Final/>
+  </SyncBody>
+</SyncML>	
+```
 
 The following example for Windows 10 Mobile denies all apps and allows the following apps:
 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 1c96dd8f84..979c1f9105 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/06/2017
+ms.date: 08/14/2017
 ---
 
 # BitLocker CSP
@@ -34,6 +34,11 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
 
+- 0 (default) – Storage cards do not need to be encrypted.
+- 1 – Require Storage cards to be encrypted.  
+
+<p style="margin-left: 20px">Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
+ 
 <p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
 
 ``` syntax
@@ -86,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 
-<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**  
-<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
+<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType** 
+<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table> 
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*</li>
+<li>GP name: *EncryptionMethodWithXts_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
 
@@ -135,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table> 
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Require additional authentication at startup*</li>
+<li>GP name: *ConfigureAdvancedStartup_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
 
@@ -199,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name:*Configure minimum PIN length for startup*</li>
+<li>GP name: *MinimumPINLength_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
 
@@ -234,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Configure pre-boot recovery message and URL*</li>
+<li>GP name: *PrebootRecoveryInfo_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
 </p>
@@ -285,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose how BitLocker-protected operating system drives can be recovered*</li>
+<li>GP name: *OSRecoveryUsage_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
 
@@ -352,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
 
 <a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**  
-<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
+<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Choose how BitLocker-protected fixed drives can be recovered*</li>
+<li>GP name: *FDVRecoveryUsage_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
 
@@ -422,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Deny write access to fixed drives not protected by BitLocker*</li>
+<li>GP name: *FDVDenyWriteAccess_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
 
@@ -454,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**  
 <p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+<p style="margin-left: 20px">ADMX Info:</p>
+<ul>
+<li>GP English name: *Deny write access to removable drives not protected by BitLocker*</li>
+<li>GP name: *RDVDenyWriteAccess_Name*</li>
+<li>GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*</li>
+<li>GP ADMX file name: *VolumeEncryption.admx*</li>
+</ul>
+
+> [!Tip]  
+> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
 
@@ -495,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree
                          </Replace>
 ```
 
+<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
+
+<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
+
+<p style="margin-left: 20px">The following list shows the supported values:</p>
+
+-   0 – Disables the warning prompt.
+-   1 (default) – Warning prompt allowed.
+
+<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
+
+``` syntax
+<Replace>
+	<CmdID>110</CmdID>
+	<Item>
+		<Target>
+			<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
+		</Target>
+		<Meta>
+			<Format xmlns="syncml:metinf">int</Format>
+		</Meta>
+		<Data>0</Data>
+	</Item>
+</Replace>
+```
 
 ### SyncML example
 
@@ -659,29 +929,3 @@ The following example is provided to show proper format and should not be taken
     </SyncBody>
 </SyncML>
 ```
-
-<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
-
-<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
-
-<p style="margin-left: 20px">The following list shows the supported values:</p>
-
--   0 – Disables the warning prompt.
--   1 (default) – Warning prompt allowed.
-
-<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
-
-``` syntax
-<Replace>
-	<CmdID>110</CmdID>
-	<Item>
-		<Target>
-			<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
-		</Target>
-		<Meta>
-			<Format xmlns="syncml:metinf">int</Format>
-		</Meta>
-		<Data>0</Data>
-	</Item>
-</Replace>
-```
\ No newline at end of file
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 392f0820ef..7e2371d151 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -183,14 +183,15 @@ The following diagram shows the CM\_CellularEntries configuration service provid
 <p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
 
 <a href="" id="purposegroups"></a>**PurposeGroups**  
-<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
+<p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
 
 -   Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
 -   MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
 -   IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
 -   SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
--   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  (added in the next version of Windows 10)
--   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  (added in the next version of Windows 10)
+-   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  
+-   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  
+-   Application - 52D7654A-00A8-4140-806C-087D66705306
 
 ## Additional information
 
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index c1c33e5921..45e1aa1d54 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -178,6 +178,9 @@ The following diagram shows the DevDetail configuration service provider managem
 <a href="" id="devicehardwaredata"></a>**DeviceHardwareData**  
 <p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
+> [!Note]  
+> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
+
 <p style="margin-left: 20px">Supported operation is Get.
 
 ## Related topics
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 48dbeed8c0..562f8b5117 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability CSP
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
 
 For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. 
@@ -30,11 +33,24 @@ Interior node.
 <a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**  
 Returns the versions of all configuration service providers supported on the device for the MDM service.
 
+<a href="" id="capabilities"></a>**Provider**  
+Added in Windows 10, version 1709. Interior node.
 
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_**  
+Added in Windows 10, version 1709. Provider ID of the configuration source.
 
- 
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**  
+Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
+
+The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace.
+
+<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**  
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
+
+Data type is string. Supported operations are Add, Get, Delete, and Replace. 
 
- 
 
 
 
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index f45881a241..a1f646623e 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability DDF
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
 
 You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
+            <MIME>com.microsoft/1.1/MDM/DeviceManageability</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -90,9 +93,105 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
         </Node>
+        <Node>
+          <NodeName>Provider</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Add />
+              <Delete />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFTitle>Provider</DFTitle>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+              </AccessType>
+              <Description>Provider ID String of the Configuration Source</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>ProviderID</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>ConfigInfo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                  <Add />
+                  <Delete />
+                </AccessType>
+                <Description>Configuration Info string value set by the config source. Recommended to be used during sync session.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>ConfigInfo</DFTitle>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>EnrollmentInfo</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Add />
+                  <Delete />
+                  <Replace />
+                </AccessType>
+                <Description>Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>EnrollmentInfo</DFTitle>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
       </Node>
 </MgmtTree>
-
 ```
 
  
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 3ed0ffade4..2d8c6f0b32 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -231,7 +231,7 @@ The value is the number of seconds of battery life remaining when the device is
 Supported operation is Get.
 
 <a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**  
-Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any).
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
 
 Supported operation is Get.
 
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
new file mode 100644
index 0000000000..f7e605575a
--- /dev/null
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -0,0 +1,300 @@
+---
+title: Enable ADMX-backed policies in MDM
+description: Guide to configuring ADMX-backed policies in MDM
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Enable ADMX-backed policies in MDM
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This is a step-by-step guide to configuring ADMX-backed policies in MDM.
+
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. 
+
+Summary of steps to enable a policy:
+-	Find the policy from the list ADMX-backed policies. 
+-	Find the Group Policy related information from the MDM policy description.
+-	Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
+-	Create the data payload for the SyncML.
+
+## Enable a policy
+
+1.  Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.  
+	- GP English name
+    - GP name
+    - GP ADMX file name
+    - GP path
+
+2.  Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
+
+    1. Click **Start**, then in the text box type **gpedit**. 
+
+    2. Under **Best match**, click **Edit group policy** to launch it.  
+       
+       ![GPEdit search](images/admx-gpedit-search.png)
+
+    3. In **Local Computer Policy** navigate to the policy you want to configure.  
+    
+       In this example, navigate to **Administrative Templates >  System > App-V**.
+
+       ![App-V policies](images/admx-appv.png)
+
+    4. Double-click **Enable App-V Client**.  
+
+       The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
+
+       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
+
+3.  Create the SyncML  to enable the policy that does not require any parameter.  
+
+    In this example you configure **Enable App-V Client** to **Enabled**.
+
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+     
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
+        </Target>
+        <Data>&lt;Enabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+
+## Enable a policy that requires parameters  
+
+
+1. Create the SyncML  to enable the policy that requires parameters.
+
+    In this example, the policy is in **Administrative Templates >  System > App-V > Publishing**.
+
+    1.  Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
+
+        ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
+
+        ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
+
+    2.  Find the variable names of the parameters in the ADMX file.
+
+        You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+
+          ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
+
+    3.  Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
+
+    4.	Search for GP name **Publishing_Server2_policy**.
+
+
+    5.	Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
+    
+        Here is the snippet from appv.admx:
+
+    ``` syntax
+    <!--  Publishing Server 2  -->
+    <policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)" 
+            explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)" 
+            key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
+      <parentCategory ref="CAT_Publishing" />
+      <supportedOn ref="windows:SUPPORTED_Windows7" />
+      <elements>
+        <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
+        <text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
+        <enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>  
+        <enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+        <enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>
+        <enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+      </elements>
+    </policy>
+    ```
+
+    6.  From the \<elements>  tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
+
+        Here is the example XML for Publishing_Server2_Policy :
+        
+    ``` syntax
+    <data id="Publishing_Server2_Name_Prompt" value="Name"/>
+    <data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
+    <data id="Global_Publishing_Refresh_Options" value="1"/>
+    <data id="Global_Refresh_OnLogon_Options" value="0"/>
+    <data id="Global_Refresh_Interval_Prompt" value="15"/>
+    <data id="Global_Refresh_Unit_Options" value="0"/>
+    <data id="User_Publishing_Refresh_Options" value="0"/>
+    <data id="User_Refresh_OnLogon_Options" value="0"/>
+    <data id="User_Refresh_Interval_Prompt" value="15"/>
+    <data id="User_Refresh_Unit_Options" value="1"/>
+    ```    
+
+    7.  Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.  
+
+        Here is the example for **AppVirtualization/PublishingAllowServer2**:
+        
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+    
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+       <SyncML xmlns="SYNCML:SYNCML1.2">
+         <SyncBody>
+           <Replace>
+             <CmdID>2</CmdID>
+             <Item>
+               <Meta>
+                 <Format>chr</Format>
+                 <Type>text/plain</Type>
+               </Meta>
+               <Target>
+                <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+               </Target>
+               <![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data 
+                 id="Publishing_Server_URL_Prompt" value="URL prompt"/><data 
+                 id="Global_Publishing_Refresh_Options" value="1"/><data 
+                 id="Global_Refresh_OnLogon_Options" value="0"/><data 
+                 id="Global_Refresh_Interval_Prompt" value="15"/><data 
+                 id="Global_Refresh_Unit_Options" value="0"/><data 
+                 id="User_Publishing_Refresh_Options" value="0"/><data 
+                 id="User_Refresh_OnLogon_Options" value="0"/><data 
+                 id="User_Refresh_Interval_Prompt" value="15"/><data 
+                 id="User_Refresh_Unit_Options" value="1"/>]]>
+             </Item>
+           </Replace>
+           <Final/>
+         </SyncBody>
+       </SyncML>
+    ```
+
+
+## Disable a policy
+
+The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+        <Data>&lt;disabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+## Setting a policy to not configured
+
+The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Delete>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+      </Item>
+    </Delete>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 95722f7b40..c79f4f55e9 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/09/2017
 ---
 
 # EnterpriseDataProtection CSP
@@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
 
 -   0 (default) – Off / No protection (decrypts previously protected data).
 -   1 – Silent mode (encrypt and audit only).
--   2 – Override mode (encrypt, prompt, and audit).
--   3 – Block mode (encrypt, block, and audit).
+-   2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
+-   3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
 
 <p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.
 
diff --git a/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png
new file mode 100644
index 0000000000..36d0561150
Binary files /dev/null and b/windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png
new file mode 100644
index 0000000000..6f22d4701e
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-enableapp-vclient.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-policy-description.png b/windows/client-management/mdm/images/admx-appv-policy-description.png
new file mode 100644
index 0000000000..46e99fcb28
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-policy-description.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-publishing.png b/windows/client-management/mdm/images/admx-appv-publishing.png
new file mode 100644
index 0000000000..31d83e9329
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishing.png differ
diff --git a/windows/client-management/mdm/images/admx-appv-publishingserver2.png b/windows/client-management/mdm/images/admx-appv-publishingserver2.png
new file mode 100644
index 0000000000..01e516c407
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv-publishingserver2.png differ
diff --git a/windows/client-management/mdm/images/admx-appv.png b/windows/client-management/mdm/images/admx-appv.png
new file mode 100644
index 0000000000..9b4c9d2f39
Binary files /dev/null and b/windows/client-management/mdm/images/admx-appv.png differ
diff --git a/windows/client-management/mdm/images/admx-gpedit-search.png b/windows/client-management/mdm/images/admx-gpedit-search.png
new file mode 100644
index 0000000000..97ffa6ffd9
Binary files /dev/null and b/windows/client-management/mdm/images/admx-gpedit-search.png differ
diff --git a/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png
new file mode 100644
index 0000000000..0f9dc0d872
Binary files /dev/null and b/windows/client-management/mdm/images/mdm-enrollment-disable-policy.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png
index e8364c9bd7..136c240862 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png and b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
index a533d0f559..76c746d95f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 4a733d2da7..1dbb44551e 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/11/2017
 ---
 
 # Mobile device enrollment
@@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au
 > -   Any fixed URIs that are passed during enrollment
 > -   Specific formatting of any value unless otherwise noted, such as the format of the device ID.
 
+
+## Enrollment support for domain-joined devices
  
+Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
 
-## Prevent MDM enrollments
+## Disable MDM enrollments
 
 
-Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy:
+Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
+
+![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
+
+Here is the corresponding registry key:
 
 Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
 
 Value: DisableRegistration
 
-Using the GP editor, the path is Computer configuration &gt; Administrative Templates &gt; Windows Components &gt; MDM &gt; Disable MDM Enrollment.
-
 ## Enrollment scenarios not supported
 
-
 The following scenarios do not allow MDM enrollments:
 
 -   Built-in administrator accounts on Windows desktop cannot enroll into MDM.
--   Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**.
+-   Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
 -   Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
 
 ## Enrollment migration
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ff7ed8e468..a0b85c5d11 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,11 +10,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/28/2017
+ms.date: 08/14/2017
 ---
 
 # What's new in MDM enrollment and management
 
+
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
@@ -677,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Update/ActiveHoursMaxRange</li>
 <li>Update/AutoRestartDeadlinePeriodInDays</li>
 <li>Update/AutoRestartNotificationSchedule</li>
-<li>Update/AutoRestartNotificationStyle</li>
 <li>Update/AutoRestartRequiredNotificationDismissal</li>
 <li>Update/DetectionFrequency</li>
 <li>Update/EngagedRestartDeadline</li>
 <li>Update/EngagedRestartSnoozeSchedule</li>
-<li>Update/EngagedRestartTransistionSchedule</li>
+<li>Update/EngagedRestartTransitionSchedule</li>
 <li>Update/IgnoreMOAppDownloadLimit</li>
 <li>Update/IgnoreMOUpdateDownloadLimit</li>
 <li>Update/PauseFeatureUpdatesStartTime</li>
@@ -960,19 +960,52 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </td></tr>
 <tr class="even">
 <td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
-<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
+<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709.</p>
 <ul>
-<li>Added Configuration node</li>
+<li>Configuration</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>Provider/_ProviderID_/ConfigInfo</li>
+<li> Provider/_ProviderID_/EnrollmentInfo</li>
 </ul>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
 <ul>
-<li>CredentialProviders/EnableWindowsAutoPilotResetCredentials</li>
+<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
 <li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
 <li>DeviceGuard/RequirePlatformSecurityFeatures</li>
 <li>DeviceGuard/LsaCfgFlags</li>
+<li>ExploitGuard/ExploitProtectionSettings</li>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li> 
 <li>Power/DisplayOffTimeoutOnBattery</li>
 <li>Power/DisplayOffTimeoutPluggedIn</li>
 <li>Power/HibernateTimeoutOnBattery</li>
@@ -1280,6 +1313,97 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### August 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)</td>
+<td style="vertical-align:top"><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
+<td style="vertical-align:top"><p>Added the following statement:</p>
+<ul>
+<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
+<ul>
+<li> 0 (default) – Off / No protection (decrypts previously protected data).</li>
+<li>  1 – Silent mode (encrypt and audit only).</li>
+<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
+<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[AppLocker CSP](applocker-csp.md)</td>
+<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>Provider/_ProviderID_/ConfigInfo</li>
+<li> Provider/_ProviderID_/EnrollmentInfo</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top">Added information to the ADMX-backed policies.
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>ExploitGuard/ExploitProtectionSettings</li>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
+</ul>
+<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
+<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
+</td></tr>
+</tbody>
+</table>
+
 ### July 2017
 
 <table>
@@ -1313,7 +1437,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <ul>
 <li>Education/DefaultPrinterName</li>
 <li>Education/PreventAddingNewPrinters</li>
-<li>Education/PrinterNames</li>
+<li>Education/PrinterNames</li> 
 <li>Security/ClearTPMIfNotReady</li>
 <li>WindowsDefenderSecurityCenter/CompanyName</li>
 <li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
@@ -1881,11 +2005,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 <li>TimeLanguageSettings/AllowSet24HourClock</li>
 <li>Update/ActiveHoursMaxRange</li>
 <li>Update/AutoRestartNotificationSchedule</li>
-<li>Update/AutoRestartNotificationStyle</li>
 <li>Update/AutoRestartRequiredNotificationDismissal</li>
 <li>Update/EngagedRestartDeadline</li>
 <li>Update/EngagedRestartSnoozeSchedule</li>
-<li>Update/EngagedRestartTransistionSchedule</li>
+<li>Update/EngagedRestartTransitionSchedule</li>
 <li>Update/SetAutoRestartNotificationDisable</li>
 <li>WindowsLogon/HideFastUserSwitching</li>
 </ul>
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 7659b059e9..69a15107f8 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/27/2017
+ms.date: 08/14/2017
 ---
 
 # Policy CSP
@@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
   </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a> in BitLocker CSP
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a> in BitLocker CSP
+  </dd>
 </dl>
 
 ### Bluetooth policies
@@ -534,7 +558,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
   </dd>
   <dd>
-    <a href="./policy-csp-credentialproviders.md#credentialproviders-enablewindowsautopilotresetcredentials" id="credentialproviders-enablewindowsautopilotresetcredentials">CredentialProviders/EnableWindowsAutoPilotResetCredentials</a>
+    <a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
   </dd>
 </dl>
 
@@ -978,6 +1002,14 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### ExploitGuard policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings" id="exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
+  </dd>
+</dl>
+
 ### Games policies
 
 <dl>
@@ -1778,6 +1810,83 @@ The following diagram shows the Policy configuration service provider in tree fo
   </dd>
 </dl>
 
+### LocalPoliciesSecurityOptions policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
+  </dd>
+</dl>
+
 ### Location policies
 
 <dl>
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 5b1b04014f..eb8cd4abc7 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - AboveLock
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 321173c109..53ea6582a5 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Accounts
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index ecf8c1bd88..e67542f66b 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - ActiveXControls
@@ -66,6 +66,7 @@ Note: Wild card characters cannot be used when specifying the host URLs.
 ADMX Info:  
 -   GP english name: *Approved Installation Sites for ActiveX Controls*
 -   GP name: *ApprovedActiveXInstallSites*
+-   GP path: *Windows Components/ActiveX Installer Service*
 -   GP ADMX file name: *ActiveXInstallService.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 1611634651..11297a57df 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - ApplicationDefaults
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 04487cf2a4..5d72ba16b5 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - ApplicationManagement
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index b0b817880f..01bd1dd68e 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - AppVirtualization
@@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
 ADMX Info:  
 -   GP english name: *Enable App-V Client*
 -   GP name: *EnableAppV*
+-   GP path: *Administrative Templates/System/App-V*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
 ADMX Info:  
 -   GP english name: *Enable Dynamic Virtualization*
 -   GP name: *Virtualization_JITVEnable*
+-   GP path: *Administrative Templates/System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
 ADMX Info:  
 -   GP english name: *Enable automatic cleanup of unused appv packages*
 -   GP name: *PackageManagement_AutoCleanupEnable*
+-   GP path: *Administrative Templates/System/App-V/PackageManagement*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou
 ADMX Info:  
 -   GP english name: *Enable Package Scripts*
 -   GP name: *Scripting_Enable_Package_Scripts*
+-   GP path: *Administrative Templates/System/App-V/Scripting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th
 ADMX Info:  
 -   GP english name: *Enable Publishing Refresh UX*
 -   GP name: *Enable_Publishing_Refresh_UX*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
 ADMX Info:  
 -   GP english name: *Reporting Server*
 -   GP name: *Reporting_Server_Policy*
+-   GP path: *Administrative Templates/System/App-V/Reporting*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
 ADMX Info:  
 -   GP english name: *Roaming File Exclusions*
 -   GP name: *Integration_Roaming_File_Exclusions*
+-   GP path: *Administrative Templates/System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage
 ADMX Info:  
 -   GP english name: *Roaming Registry Exclusions*
 -   GP name: *Integration_Roaming_Registry_Exclusions*
+-   GP path: *Administrative Templates/System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific
 ADMX Info:  
 -   GP english name: *Specify what to load in background (aka AutoLoad)*
 -   GP name: *Steaming_Autoload*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
 ADMX Info:  
 -   GP english name: *Enable Migration Mode*
 -   GP name: *Client_Coexistence_Enable_Migration_mode*
+-   GP path: *Administrative Templates/System/App-V/Client Coexistence*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o
 ADMX Info:  
 -   GP english name: *Integration Root User*
 -   GP name: *Integration_Root_User*
+-   GP path: *Administrative Templates/System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o
 ADMX Info:  
 -   GP english name: *Integration Root Global*
 -   GP name: *Integration_Root_Global*
+-   GP path: *Administrative Templates/System/App-V/Integration*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 ADMX Info:  
 -   GP english name: *Publishing Server 1 Settings*
 -   GP name: *Publishing_Server1_Policy*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -689,8 +702,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 2 Settings*
+-   GP English name: *Publishing Server 2 Settings*
 -   GP name: *Publishing_Server2_Policy*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 ADMX Info:  
 -   GP english name: *Publishing Server 3 Settings*
 -   GP name: *Publishing_Server3_Policy*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 ADMX Info:  
 -   GP english name: *Publishing Server 4 Settings*
 -   GP name: *Publishing_Server4_Policy*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 ADMX Info:  
 -   GP english name: *Publishing Server 5 Settings*
 -   GP name: *Publishing_Server5_Policy*
+-   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store.
 ADMX Info:  
 -   GP english name: *Certificate Filter For Client SSL*
 -   GP name: *Streaming_Certificate_Filter_For_Client_SSL*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8
 ADMX Info:  
 -   GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
 -   GP name: *Streaming_Allow_High_Cost_Launch*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
 ADMX Info:  
 -   GP english name: *Location Provider*
 -   GP name: *Streaming_Location_Provider*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed.
 ADMX Info:  
 -   GP english name: *Package Installation Root*
 -   GP name: *Streaming_Package_Installation_Root*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1105,6 +1126,7 @@ Overrides source location for downloading package content.
 ADMX Info:  
 -   GP english name: *Package Source Root*
 -   GP name: *Streaming_Package_Source_Root*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
 ADMX Info:  
 -   GP english name: *Reestablishment Interval*
 -   GP name: *Streaming_Reestablishment_Interval*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session.
 ADMX Info:  
 -   GP english name: *Reestablishment Retries*
 -   GP name: *Streaming_Reestablishment_Retries*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard
 ADMX Info:  
 -   GP english name: *Shared Content Store (SCS) mode*
 -   GP name: *Streaming_Shared_Content_Store_Mode*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
 ADMX Info:  
 -   GP english name: *Enable Support for BranchCache*
 -   GP name: *Streaming_Support_Branch_Cache*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS.
 ADMX Info:  
 -   GP english name: *Verify certificate revocation list*
 -   GP name: *Streaming_Verify_Certificate_Revocation_List*
+-   GP path: *Administrative Templates/System/App-V/Streaming*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
@@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
 ADMX Info:  
 -   GP english name: *Virtual Component Process Allow List*
 -   GP name: *Virtualization_JITVAllowList*
+-   GP path: *Administrative Templates/System/App-V/Virtualization*
 -   GP ADMX file name: *appv.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 5d23ee3459..0d4c2f7055 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - AttachmentManager
@@ -66,6 +66,7 @@ If you do not configure this policy setting, Windows marks file attachments with
 ADMX Info:  
 -   GP english name: *Do not preserve zone information in file attachments*
 -   GP name: *AM_MarkZoneOnSavedAtttachments*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
@@ -117,6 +118,7 @@ If you do not configure this policy setting, Windows hides the check box and Unb
 ADMX Info:  
 -   GP english name: *Hide mechanisms to remove zone information*
 -   GP name: *AM_RemoveZoneInfo*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
@@ -168,6 +170,7 @@ If you do not configure this policy setting, Windows does not call the registere
 ADMX Info:  
 -   GP english name: *Notify antivirus programs when opening attachments*
 -   GP name: *AM_CallIOfficeAntiVirus*
+-   GP path: *Windows Components/Attachment Manager*
 -   GP ADMX file name: *AttachmentManager.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index d6e687ff2b..2b74810ed1 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Authentication
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 8d520d5bf1..8198ac815b 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Autoplay
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for
 ADMX Info:  
 -   GP english name: *Disallow Autoplay for non-volume devices*
 -   GP name: *NoAutoplayfornonVolume*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
@@ -122,6 +123,7 @@ If you disable or not configure this policy setting, Windows Vista or later will
 ADMX Info:  
 -   GP english name: *Set the default behavior for AutoRun*
 -   GP name: *NoAutorun*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
@@ -181,6 +183,7 @@ Note: This policy setting appears in both the Computer Configuration and User Co
 ADMX Info:  
 -   GP english name: *Turn off Autoplay*
 -   GP name: *Autorun*
+-   GP path: *Windows Components/AutoPlay Policies*
 -   GP ADMX file name: *AutoPlay.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index d400b459dc..ea9430a79c 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Bitlocker
@@ -58,6 +58,33 @@ ms.date: 07/14/2017
 -   6 - XTS-AES 128-bit (Desktop only)
 -   7 - XTS-AES 256-bit (Desktop only)
 
+<p style="margin-left: 20px">You can find the following policies in BitLocker CSP:
+<dl>
+  <dd>
+    <a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a>
+  </dd>
+  <dd>
+    <a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a>
+  </dd>
+</dl>
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>
@@ -68,5 +95,4 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 
-<!--EndPolicies-->
-
+<!--EndPolicies-->
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 36f22b68f0..69445abb1a 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Bluetooth
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 1f89d48fa9..f0d50ff7ac 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Browser
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 827c761526..5235998a62 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Camera
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 099237a30b..0afb973431 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Cellular
@@ -58,6 +58,7 @@ ms.date: 07/14/2017
 ADMX Info:  
 -   GP english name: *Set Per-App Cellular Access UI Visibility*
 -   GP name: *ShowAppCellularAccessUI*
+-   GP path: *Network/WWAN Service/WWAN UI Settings*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 4e608da6c7..d766ef3c9d 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Connectivity
@@ -521,6 +521,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
 ADMX Info:  
 -   GP english name: *Hardened UNC Paths*
 -   GP name: *Pol_HardenedPaths*
+-   GP path: *Network/Network Provider*
 -   GP ADMX file name: *networkprovider.admx*
 
 <!--EndADMX-->
@@ -564,6 +565,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
 -   GP name: *NC_AllowNetBridge_NLA*
+-   GP path: *Network/Network Connections*
 -   GP ADMX file name: *NetworkConnections.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 66d1f6d390..afa69b9477 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - CredentialProviders
@@ -124,7 +124,7 @@ ADMX Info:
 <!--EndADMX-->
 <!--EndPolicy-->
 <!--StartPolicy-->
-<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**  
+<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**  
 
 <!--StartSKU-->
 <table>
@@ -150,11 +150,12 @@ ADMX Info:
 
 <!--EndSKU-->
 <!--StartDescription-->
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
+Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
 
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
+The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
 
-Default value is 0.
+- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
+- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
 
 <!--EndDescription-->
 <!--EndPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index c99d68a5fe..728275e01e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - CredentialsUI
@@ -68,6 +68,7 @@ The policy applies to all Windows components and applications that use the Windo
 ADMX Info:  
 -   GP english name: *Do not display the password reveal button*
 -   GP name: *DisablePasswordReveal*
+-   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*
 
 <!--EndADMX-->
@@ -117,6 +118,7 @@ If you disable this policy setting, users will always be required to type a user
 ADMX Info:  
 -   GP english name: *Enumerate administrator accounts on elevation*
 -   GP name: *EnumerateAdministrators*
+-   GP path: *Windows Components/Credential User Interface*
 -   GP ADMX file name: *credui.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 28837af17c..5365025f58 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Cryptography
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index e520e4612f..ebe61e6295 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DataProtection
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index decc54ee81..7398cdb094 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DataUsage
@@ -70,6 +70,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
 ADMX Info:  
 -   GP english name: *Set 3G Cost*
 -   GP name: *SetCost3G*
+-   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
@@ -125,6 +126,7 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti
 ADMX Info:  
 -   GP english name: *Set 4G Cost*
 -   GP name: *SetCost4G*
+-   GP path: *Network/WWAN Service/WWAN Media Cost*
 -   GP ADMX file name: *wwansvc.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 337cacc79f..42421382a1 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Defender
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 830147907b..a80a113695 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DeliveryOptimization
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 2a09f78ddf..2f095c7e16 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Desktop
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index f104ff82b3..a613939a89 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DeviceGuard
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 4f4b4d25d5..b9e3b22182 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DeviceInstallation
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, devices can be installed
 ADMX Info:  
 -   GP english name: *Prevent installation of devices that match any of these device IDs*
 -   GP name: *DeviceInstall_IDs_Deny*
+-   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
 
 <!--EndADMX-->
@@ -113,6 +114,7 @@ If you disable or do not configure this policy setting, Windows can install and
 ADMX Info:  
 -   GP english name: *Prevent installation of devices using drivers that match these device setup classes*
 -   GP name: *DeviceInstall_Classes_Deny*
+-   GP path: *System/Device Installation/Device Installation Restrictions*
 -   GP ADMX file name: *deviceinstallation.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 8ac0f11942..3e3e9a0a12 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - DeviceLock
@@ -769,6 +769,7 @@ If you enable this setting, users will no longer be able to modify slide show se
 ADMX Info:  
 -   GP english name: *Prevent enabling lock screen slide show*
 -   GP name: *CPL_Personalization_NoLockScreenSlideshow*
+-   GP path: *Control Panel/Personalization*
 -   GP ADMX file name: *ControlPanelDisplay.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index c10d926963..173a2e7f02 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Display
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index a1912d6edc..8c563ece39 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/27/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Education
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 7b33c7e5b4..aac0cea10c 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - EnterpriseCloudPrint
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 800c8ac975..88177e71c6 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - ErrorReporting
@@ -123,6 +123,7 @@ If you disable or do not configure this policy setting, the Turn off Windows Err
 ADMX Info:  
 -   GP english name: *Disable Windows Error Reporting*
 -   GP name: *WerDisable_2*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -176,6 +177,7 @@ See also the Configure Error Reporting policy setting.
 ADMX Info:  
 -   GP english name: *Display Error Notification*
 -   GP name: *PCH_ShowUI*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -225,6 +227,7 @@ If you disable or do not configure this policy setting, then consent policy sett
 ADMX Info:  
 -   GP english name: *Do not send additional data*
 -   GP name: *WerNoSecondLevelData_2*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
@@ -274,6 +277,7 @@ If you disable or do not configure this policy setting, Windows Error Reporting
 ADMX Info:  
 -   GP english name: *Prevent display of the user interface for critical errors*
 -   GP name: *WerDoNotShowUI*
+-   GP path: *Windows Components/Windows Error Reporting*
 -   GP ADMX file name: *ErrorReporting.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index a1f5c9527e..8ded981267 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - EventLogService
@@ -66,6 +66,7 @@ Note: Old events may or may not be retained according to the "Backup log automat
 ADMX Info:  
 -   GP english name: *Control Event Log behavior when the log file reaches its maximum size*
 -   GP name: *Channel_Log_Retention_1*
+-   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -115,6 +116,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 ADMX Info:  
 -   GP english name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_1*
+-   GP path: *Windows Components/Event Log Service/Application*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -164,6 +166,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 ADMX Info:  
 -   GP english name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_2*
+-   GP path: *Windows Components/Event Log Service/Security*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
@@ -213,6 +216,7 @@ If you disable or do not configure this policy setting, the maximum size of the
 ADMX Info:  
 -   GP english name: *Specify the maximum log file size (KB)*
 -   GP name: *Channel_LogMaxSize_4*
+-   GP path: *Windows Components/Event Log Service/System*
 -   GP ADMX file name: *eventlog.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index c69b113a36..82e380c156 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Experience
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
new file mode 100644
index 0000000000..cf06c60c3e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -0,0 +1,58 @@
+---
+title: Policy CSP - ExploitGuard
+description: Policy CSP - ExploitGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Policy CSP - ExploitGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicy-->
+<a href="" id="exploitguard-exploitprotectionsettings"></a>**ExploitGuard/ExploitProtectionSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML.
+
+<p style="margin-left: 20px">The system settings require a reboot; the application settings do not require a reboot.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 5cb47e7195..9e5de02b1b 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Games
@@ -22,9 +22,6 @@ ms.date: 07/14/2017
 <!--StartPolicy-->
 <a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
 
-<!--StartSKU-->
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Placeholder only. Currently not supported.
 
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index b5377f7a59..cd051e0e91 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/16/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - InternetExplorer
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, the user can configure t
 ADMX Info:  
 -   GP english name: *Add a specific list of search providers to the user's list of search providers*
 -   GP name: *AddSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -113,6 +114,7 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not
 ADMX Info:  
 -   GP english name: *Turn on ActiveX Filtering*
 -   GP name: *TurnOnActiveXFiltering*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -168,6 +170,7 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u
 ADMX Info:  
 -   GP english name: *Add-on List*
 -   GP name: *AddonManagement_AddOnList*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -211,6 +214,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on the auto-complete feature for user names and passwords on forms*
 -   GP name: *RestrictFormSuggestPW*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -254,6 +258,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on certificate address mismatch warning*
 -   GP name: *IZ_PolicyWarnCertMismatch*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -297,6 +302,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow deleting browsing history on exit*
 -   GP name: *DBHDisableDeleteOnExit*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -348,6 +354,7 @@ If you do not configure this policy, users will be able to turn on or turn off E
 ADMX Info:  
 -   GP english name: *Turn on Enhanced Protected Mode*
 -   GP name: *Advanced_EnableEnhancedProtectedMode*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -397,6 +404,7 @@ If you disable or don't configure this policy setting, the menu option won't app
 ADMX Info:  
 -   GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
 -   GP name: *EnterpriseModeEnable*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -446,6 +454,7 @@ If you disable or don't configure this policy setting, Internet Explorer opens a
 ADMX Info:  
 -   GP english name: *Use the Enterprise Mode IE website list*
 -   GP name: *EnterpriseModeSiteList*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -489,6 +498,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)*
 -   GP name: *Advanced_EnableSSL3Fallback*
+-   GP path: *Windows Components/Internet Explorer/Security Features*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -538,6 +548,7 @@ If you disable or do not configure this policy setting, the user can add and rem
 ADMX Info:  
 -   GP english name: *Use Policy List of Internet Explorer 7 sites*
 -   GP name: *CompatView_UsePolicyList*
+-   GP path: *Windows Components/Internet Explorer/Compatibility View*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -589,6 +600,7 @@ If you do not configure this policy setting, Internet Explorer uses an Internet
 ADMX Info:  
 -   GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
 -   GP name: *CompatView_IntranetSites*
+-   GP path: *Windows Components/Internet Explorer/Compatibility View*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -644,6 +656,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Internet Zone Template*
 -   GP name: *IZ_PolicyInternetZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -699,6 +712,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Intranet Zone Template*
 -   GP name: *IZ_PolicyIntranetZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -754,6 +768,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Local Machine Zone Template*
 -   GP name: *IZ_PolicyLocalMachineZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -809,6 +824,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Locked-Down Internet Zone Template*
 -   GP name: *IZ_PolicyInternetZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -864,6 +880,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Locked-Down Intranet Zone Template*
 -   GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -919,6 +936,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Locked-Down Local Machine Zone Template*
 -   GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -974,6 +992,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Locked-Down Restricted Sites Zone Template*
 -   GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1023,6 +1042,7 @@ If you disable or do not configure this policy setting, Internet Explorer does n
 ADMX Info:  
 -   GP english name: *Go to an intranet site for a one-word entry in the Address bar*
 -   GP name: *UseIntranetSiteForOneWordEntry*
+-   GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1078,6 +1098,7 @@ If you disable or do not configure this policy, users may choose their own site-
 ADMX Info:  
 -   GP english name: *Site to Zone Assignment List*
 -   GP name: *IZ_Zonemaps*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1121,6 +1142,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow software to run or install even if the signature is invalid*
 -   GP name: *Advanced_InvalidSignatureBlock*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1172,6 +1194,7 @@ If you do not configure this policy setting, the user can turn on and turn off t
 ADMX Info:  
 -   GP english name: *Turn on Suggested Sites*
 -   GP name: *EnableSuggestedSites*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1227,6 +1250,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Trusted Sites Zone Template*
 -   GP name: *IZ_PolicyTrustedSitesZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1282,6 +1306,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Locked-Down Trusted Sites Zone Template*
 -   GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1337,6 +1362,7 @@ Note. It is recommended to configure template policy settings in one Group Polic
 ADMX Info:  
 -   GP english name: *Restricted Sites Zone Template*
 -   GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1380,6 +1406,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Check for server certificate revocation*
 -   GP name: *Advanced_CertificateRevocation*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1423,6 +1450,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Check for signatures on downloaded programs*
 -   GP name: *Advanced_DownloadSignatures*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1466,6 +1494,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_2*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Binary Behavior Security Restriction*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1517,6 +1546,7 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny
 ADMX Info:  
 -   GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
 -   GP name: *DisableFlashInIE*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1560,6 +1590,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
 -   GP name: *VerMgmtDisable*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1609,6 +1640,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar
 ADMX Info:  
 -   GP english name: *Prevent bypassing SmartScreen Filter warnings*
 -   GP name: *DisableSafetyFilterOverride*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1658,6 +1690,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar
 ADMX Info:  
 -   GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
 -   GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1701,6 +1734,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Disable "Configuring History"*
 -   GP name: *RestrictHistory*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1744,6 +1778,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off Crash Detection*
 -   GP name: *AddonManagement_RestrictCrashDetection*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1795,6 +1830,7 @@ If you do not configure this policy setting, the user can choose to participate
 ADMX Info:  
 -   GP english name: *Prevent participation in the Customer Experience Improvement Program*
 -   GP name: *SQM_DisableCEIP*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1838,6 +1874,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Prevent deleting websites that the user has visited*
 -   GP name: *DBHDisableDeleteHistory*
+-   GP path: *Windows Components/Internet Explorer/Delete Browsing History*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1887,6 +1924,7 @@ If you disable or do not configure this policy setting, the user can set the Fee
 ADMX Info:  
 -   GP english name: *Prevent downloading of enclosures*
 -   GP name: *Disable_Downloading_of_Enclosures*
+-   GP path: *Windows Components/RSS Feeds*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1938,6 +1976,7 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows
 ADMX Info:  
 -   GP english name: *Turn off encryption support*
 -   GP name: *Advanced_SetWinInetProtocols*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -1991,6 +2030,7 @@ If you disable or do not configure this policy setting, Internet Explorer may ru
 ADMX Info:  
 -   GP english name: *Prevent running First Run wizard*
 -   GP name: *NoFirstRunCustomise*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2044,6 +2084,7 @@ If you don't configure this setting, users can turn this behavior on or off, usi
 ADMX Info:  
 -   GP english name: *Turn off the flip ahead with page prediction feature*
 -   GP name: *Advanced_DisableFlipAhead*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2093,6 +2134,7 @@ If you disable or do not configure this policy setting, the Home page box is ena
 ADMX Info:  
 -   GP english name: *Disable changing home page settings*
 -   GP name: *RestrictHomePage*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2136,6 +2178,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Prevent ignoring certificate errors*
 -   GP name: *NoCertError*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2179,6 +2222,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off InPrivate Browsing*
 -   GP name: *DisableInPrivateBrowsing*
+-   GP path: *Windows Components/Internet Explorer/Privacy*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2222,6 +2266,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
 -   GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2271,6 +2316,7 @@ If you disable or do not configure this policy setting, the user can configure p
 ADMX Info:  
 -   GP english name: *Prevent changing proxy settings*
 -   GP name: *RestrictProxy*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2320,6 +2366,7 @@ If you disable or do not configure this policy setting, the user can change the
 ADMX Info:  
 -   GP english name: *Prevent changing the default search provider*
 -   GP name: *NoSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2371,6 +2418,7 @@ Note: If the Disable Changing Home Page Settings policy is enabled, the user can
 ADMX Info:  
 -   GP english name: *Disable changing secondary home page settings*
 -   GP name: *SecondaryHomePages*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2414,6 +2462,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off the Security Settings Check feature*
 -   GP name: *Disable_Security_Settings_Check*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2465,6 +2514,7 @@ This policy is intended to help the administrator maintain version control for I
 ADMX Info:  
 -   GP english name: *Disable Periodic Check for Internet Explorer software updates*
 -   GP name: *NoUpdateCheck*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2508,6 +2558,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
 -   GP name: *Advanced_DisableEPMCompat*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2563,6 +2614,7 @@ Also, see the "Security zones: Use only machine settings" policy.
 ADMX Info:  
 -   GP english name: *Security Zones: Do not allow users to add/delete sites*
 -   GP name: *Security_zones_map_edit*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2618,6 +2670,7 @@ Also, see the "Security zones: Use only machine settings" policy.
 ADMX Info:  
 -   GP english name: *Security Zones: Do not allow users to change policies*
 -   GP name: *Security_options_edit*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2669,6 +2722,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
 ADMX Info:  
 -   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
 -   GP name: *VerMgmtDisable*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2724,6 +2778,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
 ADMX Info:  
 -   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
 -   GP name: *VerMgmtDomainAllowlist*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2775,6 +2830,7 @@ If you do not configure this policy setting, users choose whether to force local
 ADMX Info:  
 -   GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
 -   GP name: *IZ_IncludeUnspecifiedLocalSites*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2826,6 +2882,7 @@ If you do not configure this policy setting, users choose whether network paths
 ADMX Info:  
 -   GP english name: *Intranet Sites: Include all network paths (UNCs)*
 -   GP name: *IZ_UNCAsIntranet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2877,6 +2934,7 @@ If you do not configure this policy setting, users cannot load a page in the zon
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2928,6 +2986,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -2977,6 +3036,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3020,6 +3080,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
 -   GP name: *IZ_PolicyAllowPasteViaScript_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3063,6 +3124,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow drag and drop or copy and paste files*
 -   GP name: *IZ_PolicyDropOrPasteFiles_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3114,6 +3176,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3165,6 +3228,7 @@ If you do not configure this policy setting, Web sites from less privileged zone
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3208,6 +3272,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow loading of XAML files*
 -   GP name: *IZ_Policy_XAML_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3259,6 +3324,7 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3302,6 +3368,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
 -   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3345,6 +3412,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow only approved domains to use the TDC ActiveX control*
 -   GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3388,6 +3456,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow script-initiated windows without size or position constraints*
 -   GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3431,6 +3500,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
 -   GP name: *IZ_Policy_WebBrowserControl_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3482,6 +3552,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3535,6 +3606,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3578,6 +3650,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow updates to status bar via script*
 -   GP name: *IZ_Policy_ScriptStatusBar_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3629,6 +3702,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3672,6 +3746,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3715,6 +3790,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Download signed ActiveX controls*
 -   GP name: *IZ_PolicyDownloadSignedActiveX_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3758,6 +3834,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Download unsigned ActiveX controls*
 -   GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3801,6 +3878,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on Cross-Site Scripting Filter*
 -   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3844,6 +3922,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable dragging of content from different domains across windows*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3887,6 +3966,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable dragging of content from different domains within a window*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3930,6 +4010,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable MIME Sniffing*
 -   GP name: *IZ_PolicyMimeSniffingURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -3973,6 +4054,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on Protected Mode*
 -   GP name: *IZ_Policy_TurnOnProtectedMode_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4016,6 +4098,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Include local path when user is uploading files to a server*
 -   GP name: *IZ_Policy_LocalPathForUpload_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4069,6 +4152,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4141,6 +4225,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4184,6 +4269,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Launching applications and files in an IFRAME*
 -   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4227,6 +4313,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Logon options*
 -   GP name: *IZ_PolicyLogon_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4278,6 +4365,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4321,6 +4409,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4364,6 +4453,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
 -   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4407,6 +4497,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Show security warning for potentially unsafe files*
 -   GP name: *IZ_Policy_UnsafeFiles_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4450,6 +4541,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Use Pop-up Blocker*
 -   GP name: *IZ_PolicyBlockPopupWindows_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4493,6 +4585,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4544,6 +4637,7 @@ If you do not configure this policy setting, users are queried to choose whether
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4595,6 +4689,7 @@ If you do not configure this policy setting, users will receive a prompt when a
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4644,6 +4739,7 @@ If you disable or do not configure this setting, users will receive a file downl
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4695,6 +4791,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4746,6 +4843,7 @@ If you do not configure this policy setting, Web sites from less privileged zone
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4797,6 +4895,7 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4848,6 +4947,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4901,6 +5001,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4952,6 +5053,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -4995,6 +5097,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5048,6 +5151,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5091,6 +5195,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5134,6 +5239,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5185,6 +5291,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5236,6 +5343,7 @@ If you do not configure this policy setting, users can load a page in the zone t
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5287,6 +5395,7 @@ If you do not configure this policy setting, users will receive a prompt when a
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5336,6 +5445,7 @@ If you disable or do not configure this setting, users will receive a file downl
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5387,6 +5497,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5438,6 +5549,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5489,6 +5601,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5540,6 +5653,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5593,6 +5707,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5644,6 +5759,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5687,6 +5803,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5740,6 +5857,7 @@ If you do not configure this policy setting, users are queried whether to allow
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5783,6 +5901,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5834,6 +5953,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5885,6 +6005,7 @@ If you do not configure this policy setting, users cannot load a page in the zon
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5936,6 +6057,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -5985,6 +6107,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6036,6 +6159,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6087,6 +6211,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6138,6 +6263,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6189,6 +6315,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6242,6 +6369,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6293,6 +6421,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6346,6 +6475,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6389,6 +6519,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6440,6 +6571,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6491,6 +6623,7 @@ If you do not configure this policy setting, users are queried to choose whether
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6542,6 +6675,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6591,6 +6725,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6642,6 +6777,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6693,6 +6829,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6744,6 +6881,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6795,6 +6933,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6848,6 +6987,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6899,6 +7039,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -6952,6 +7093,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7003,6 +7145,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7054,6 +7197,7 @@ If you do not configure this policy setting, users can load a page in the zone t
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7105,6 +7249,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7154,6 +7299,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7205,6 +7351,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7256,6 +7403,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7307,6 +7455,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7358,6 +7507,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7411,6 +7561,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7462,6 +7613,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7515,6 +7667,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7558,6 +7711,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7609,6 +7763,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7660,6 +7815,7 @@ If you do not configure this policy setting, users cannot load a page in the zon
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7711,6 +7867,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7760,6 +7917,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7811,6 +7969,7 @@ If you do not configure this policy setting, users are queried whether to allow
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7862,6 +8021,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7913,6 +8073,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -7964,6 +8125,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8017,6 +8179,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8068,6 +8231,7 @@ If you do not configure this policy setting, users cannot preserve information i
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8121,6 +8285,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8164,6 +8329,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8215,6 +8381,7 @@ If you do not configure this policy setting, users cannot open other windows and
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8266,6 +8433,7 @@ If you do not configure this policy setting, users can load a page in the zone t
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8317,6 +8485,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8366,6 +8535,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8417,6 +8587,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8468,6 +8639,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8519,6 +8691,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8570,6 +8743,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8623,6 +8797,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8674,6 +8849,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8727,6 +8903,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8770,6 +8947,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8821,6 +8999,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8864,6 +9043,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_3*
+-   GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8907,6 +9087,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_6*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8950,6 +9131,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Internet Explorer Processes*
 -   GP name: *IESF_PolicyExplorerProcesses_10*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Notification bar*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -8993,6 +9175,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Prevent managing SmartScreen Filter*
 -   GP name: *Disable_Managing_Safety_Filter_IE9*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9036,6 +9219,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Prevent per-user installation of ActiveX controls*
 -   GP name: *DisablePerUserActiveXInstall*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9079,6 +9263,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_9*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9122,6 +9307,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
 -   GP name: *VerMgmtDisableRunThisTime*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9165,6 +9351,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_11*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9208,6 +9395,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_12*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9259,6 +9447,7 @@ If you do not configure this policy setting, users cannot load a page in the zon
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9302,6 +9491,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow active scripting*
 -   GP name: *IZ_PolicyActiveScripting_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9353,6 +9543,7 @@ If you do not configure this policy setting, ActiveX control installations will
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9402,6 +9593,7 @@ If you disable or do not configure this setting, file downloads that are not use
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9445,6 +9637,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow binary and script behaviors*
 -   GP name: *IZ_PolicyBinaryBehaviors_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9488,6 +9681,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
 -   GP name: *IZ_PolicyAllowPasteViaScript_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9531,6 +9725,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow drag and drop or copy and paste files*
 -   GP name: *IZ_PolicyDropOrPasteFiles_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9574,6 +9769,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow file downloads*
 -   GP name: *IZ_PolicyFileDownload_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9625,6 +9821,7 @@ If you do not configure this policy setting, users are queried whether to allow
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9676,6 +9873,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9719,6 +9917,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow loading of XAML files*
 -   GP name: *IZ_Policy_XAML_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9762,6 +9961,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow META REFRESH*
 -   GP name: *IZ_PolicyAllowMETAREFRESH_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9813,6 +10013,7 @@ If you do not configure this policy setting, Internet Explorer will not execute
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9856,6 +10057,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
 -   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9899,6 +10101,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow only approved domains to use the TDC ActiveX control*
 -   GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9942,6 +10145,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow script-initiated windows without size or position constraints*
 -   GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -9985,6 +10189,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
 -   GP name: *IZ_Policy_WebBrowserControl_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10036,6 +10241,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10089,6 +10295,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10132,6 +10339,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow updates to status bar via script*
 -   GP name: *IZ_Policy_ScriptStatusBar_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10183,6 +10391,7 @@ If you do not configure this policy setting, users cannot preserve information i
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10226,6 +10435,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10269,6 +10479,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Download signed ActiveX controls*
 -   GP name: *IZ_PolicyDownloadSignedActiveX_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10312,6 +10523,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Download unsigned ActiveX controls*
 -   GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10355,6 +10567,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on Cross-Site Scripting Filter*
 -   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10398,6 +10611,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable dragging of content from different domains across windows*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10441,6 +10655,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable dragging of content from different domains within a window*
 -   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10484,6 +10699,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Enable MIME Sniffing*
 -   GP name: *IZ_PolicyMimeSniffingURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10527,6 +10743,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Include local path when user is uploading files to a server*
 -   GP name: *IZ_Policy_LocalPathForUpload_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10580,6 +10797,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10623,6 +10841,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10666,6 +10885,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Launching applications and files in an IFRAME*
 -   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10709,6 +10929,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Logon options*
 -   GP name: *IZ_PolicyLogon_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10760,6 +10981,7 @@ If you do not configure this policy setting, users cannot open other windows and
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10803,6 +11025,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10846,6 +11069,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Run ActiveX controls and plugins*
 -   GP name: *IZ_PolicyRunActiveXControls_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10889,6 +11113,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
 -   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10932,6 +11157,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Script ActiveX controls marked safe for scripting*
 -   GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -10975,6 +11201,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Scripting of Java applets*
 -   GP name: *IZ_PolicyScriptingOfJavaApplets_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11018,6 +11245,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Show security warning for potentially unsafe files*
 -   GP name: *IZ_Policy_UnsafeFiles_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11061,6 +11289,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on Cross-Site Scripting Filter*
 -   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11104,6 +11333,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn on Protected Mode*
 -   GP name: *IZ_Policy_TurnOnProtectedMode_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11147,6 +11377,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Use Pop-up Blocker*
 -   GP name: *IZ_PolicyBlockPopupWindows_7*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11190,6 +11421,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *All Processes*
 -   GP name: *IESF_PolicyAllProcesses_8*
+-   GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11239,6 +11471,7 @@ If you disable or do not configure this policy setting, the user can configure h
 ADMX Info:  
 -   GP english name: *Restrict search providers to a specific list*
 -   GP name: *SpecificSearchProvider*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11282,6 +11515,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Security Zones: Use only machine settings *
 -   GP name: *Security_HKLM_only*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11325,6 +11559,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
 -   GP name: *OnlyUseAXISForActiveXInstall*
+-   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11376,6 +11611,7 @@ If you do not configure this policy setting, users can load a page in the zone t
 ADMX Info:  
 -   GP english name: *Access data sources across domains*
 -   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11427,6 +11663,7 @@ If you do not configure this policy setting, users will receive a prompt when a
 ADMX Info:  
 -   GP english name: *Automatic prompting for ActiveX controls*
 -   GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11476,6 +11713,7 @@ If you disable or do not configure this setting, users will receive a file downl
 ADMX Info:  
 -   GP english name: *Automatic prompting for file downloads*
 -   GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11527,6 +11765,7 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa
 ADMX Info:  
 -   GP english name: *Allow font downloads*
 -   GP name: *IZ_PolicyFontDownload_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11578,6 +11817,7 @@ If you do not configure this policy setting, a warning is issued to the user tha
 ADMX Info:  
 -   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
 -   GP name: *IZ_PolicyZoneElevationURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11629,6 +11869,7 @@ If you do not configure this policy setting, Internet Explorer will execute unsi
 ADMX Info:  
 -   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
 -   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11680,6 +11921,7 @@ If you do not configure this policy setting, the user can enable or disable scri
 ADMX Info:  
 -   GP english name: *Allow scriptlets*
 -   GP name: *IZ_Policy_AllowScriptlets_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11733,6 +11975,7 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt
 ADMX Info:  
 -   GP english name: *Turn on SmartScreen Filter scan*
 -   GP name: *IZ_Policy_Phishing_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11784,6 +12027,7 @@ If you do not configure this policy setting, users can preserve information in t
 ADMX Info:  
 -   GP english name: *Userdata persistence*
 -   GP name: *IZ_PolicyUserdataPersistence_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11827,6 +12071,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11870,6 +12115,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Don't run antimalware programs against ActiveX controls*
 -   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11923,6 +12169,7 @@ If you do not configure this policy setting, users are queried whether to allow
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -11966,6 +12213,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -12009,6 +12257,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Initialize and script ActiveX controls not marked as safe*
 -   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -12052,6 +12301,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Java permissions*
 -   GP name: *IZ_PolicyJavaPermissions_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
@@ -12103,6 +12353,7 @@ If you do not configure this policy setting, users can open windows and frames f
 ADMX Info:  
 -   GP english name: *Navigate windows and frames across different domains*
 -   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
+-   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
 -   GP ADMX file name: *inetres.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 801ebc1f70..f415128684 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Kerberos
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, the Kerberos client does
 ADMX Info:  
 -   GP english name: *Use forest search order*
 -   GP name: *ForestSearch*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -112,6 +113,7 @@ If you disable or do not configure this policy setting, the client devices will
 ADMX Info:  
 -   GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
 -   GP name: *EnableCbacAndArmor*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -165,6 +167,7 @@ If you disable or do not configure this policy setting, the client computers in
 ADMX Info:  
 -   GP english name: *Fail authentication requests when Kerberos armoring is not available*
 -   GP name: *ClientRequireFast*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -214,6 +217,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
 ADMX Info:  
 -   GP english name: *Require strict KDC validation*
 -   GP name: *ValidateKDC*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
@@ -267,6 +271,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
 ADMX Info:  
 -   GP english name: *Set maximum Kerberos SSPI context token buffer size*
 -   GP name: *MaxTokenSize*
+-   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index 192795ada2..e0cc238f3e 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Licensing
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
new file mode 100644
index 0000000000..627363f336
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -0,0 +1,1025 @@
+---
+title: Policy CSP - LocalPoliciesSecurityOptions
+description: Policy CSP - LocalPoliciesSecurityOptions
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/09/2017
+---
+
+# Policy CSP - LocalPoliciesSecurityOptions
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## LocalPoliciesSecurityOptions policies  
+
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+Valid values:  
+- 0 - disabled (users will be able to use Microsoft accounts with Windows)
+- 1 - enabled (users cannot add Microsoft accounts)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines whether the local Administrator account is enabled or disabled.
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Administrator account is disabled
+- 1 - local Administrator account is enabled
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+Valid values:  
+- 0 -  disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 -  enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts-renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive Logon:Display user information when the session is locked  
+
+Valid values:
+- 1 - User display name, domain and user names
+- 2 - User display name only
+- 3 - Do not display user information
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display last signed-in
+
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display username at sign-in
+
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows  8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.
+Valid values:  
+- 0 - disabled 
+- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow automatic administrative logon)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow system to be shut down without having to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+Disabled: (Default)  
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:  
+- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+- 0 - Disabled: Applications that write data to protected locations fail.
+- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index ba133e1921..2b3d3a2b35 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Location
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index a98d78e52b..c207e57f39 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - LockDown
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 27d44175e4..9e719e5b3b 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Maps
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index e0c705d31b..1734984fd4 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Messaging
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 0d59b01e1b..fba5342cac 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - NetworkIsolation
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index fa41ee2efb..a1c092d0df 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Notifications
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index f3bb408651..24bb80fa7e 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Power
@@ -64,6 +64,7 @@ If you disable this policy setting, standby states (S1-S3) are not allowed.
 ADMX Info:  
 -   GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
 -   GP name: *AllowStandbyStatesAC_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -115,6 +116,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off the display (on battery)*
 -   GP name: *VideoPowerDownTimeOutDC_2*
+-   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -166,6 +168,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn off the display (plugged in)*
 -   GP name: *VideoPowerDownTimeOutAC_2*
+-   GP path: *System/Power Management/Video and Display Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -218,6 +221,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify the system hibernate timeout (on battery)*
 -   GP name: *DCHibernateTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -269,6 +273,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify the system hibernate timeout (plugged in)*
 -   GP name: *ACHibernateTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -318,6 +323,7 @@ If you disable this policy setting, the user is not prompted for a password when
 ADMX Info:  
 -   GP english name: *Require a password when a computer wakes (on battery)*
 -   GP name: *DCPromptForPasswordOnResume_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -367,6 +373,7 @@ If you disable this policy setting, the user is not prompted for a password when
 ADMX Info:  
 -   GP english name: *Require a password when a computer wakes (plugged in)*
 -   GP name: *ACPromptForPasswordOnResume_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -418,6 +425,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify the system sleep timeout (on battery)*
 -   GP name: *DCStandbyTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
@@ -469,6 +477,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify the system sleep timeout (plugged in)*
 -   GP name: *ACStandbyTimeOut_2*
+-   GP path: *System/Power Management/Sleep Settings*
 -   GP ADMX file name: *power.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index 2fd40ada12..7d17fff50b 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Printers
@@ -139,6 +139,7 @@ If you disable this policy setting:
 ADMX Info:  
 -   GP english name: *Point and Print Restrictions*
 -   GP name: *PointAndPrint_Restrictions*
+-   GP path: *Control Panel/Printers*
 -   GP ADMX file name: *Printing.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 64b43c3fd9..b2969151a6 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Privacy
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 0f082798fe..b8964b01a1 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - RemoteAssistance
@@ -70,6 +70,7 @@ If you do not configure this policy setting, the user sees the default warning m
 ADMX Info:  
 -   GP english name: *Customize warning messages*
 -   GP name: *RA_Options*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -121,6 +122,7 @@ If you do not configure this setting, application-based settings are used.
 ADMX Info:  
 -   GP english name: *Turn on session logging*
 -   GP name: *RA_Logging*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -180,6 +182,7 @@ If you enable this policy setting you should also enable appropriate firewall ex
 ADMX Info:  
 -   GP english name: *Configure Solicited Remote Assistance*
 -   GP name: *RA_Solicit*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
@@ -262,6 +265,7 @@ Allow Remote Desktop Exception
 ADMX Info:  
 -   GP english name: *Configure Offer Remote Assistance*
 -   GP name: *RA_Unsolicit*
+-   GP path: *System/Remote Assistance*
 -   GP ADMX file name: *remoteassistance.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index 57e8b93015..fc802cbca7 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - RemoteDesktopServices
@@ -70,6 +70,7 @@ You can limit the number of users who can connect simultaneously by configuring
 ADMX Info:  
 -   GP english name: *Allow users to connect remotely by using Remote Desktop Services*
 -   GP name: *TS_DISABLE_CONNECTIONS*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -129,6 +130,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp
 ADMX Info:  
 -   GP english name: *Set client connection encryption level*
 -   GP name: *TS_ENCRYPTION_POLICY*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -182,6 +184,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo
 ADMX Info:  
 -   GP english name: *Do not allow drive redirection*
 -   GP name: *TS_CLIENT_DRIVE_M*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -231,6 +234,7 @@ If you disable this setting or leave it not configured, the user will be able to
 ADMX Info:  
 -   GP english name: *Do not allow passwords to be saved*
 -   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -286,6 +290,7 @@ If you do not configure this policy setting, automatic logon is not specified at
 ADMX Info:  
 -   GP english name: *Always prompt for password upon connection*
 -   GP name: *TS_PASSWORD*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
@@ -341,6 +346,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop
 ADMX Info:  
 -   GP english name: *Require secure RPC communication*
 -   GP name: *TS_RPC_ENCRYPTION*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
 -   GP ADMX file name: *terminalserver.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 2bb1892add..b1cd0e9207 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - RemoteManagement
@@ -58,6 +58,7 @@ ms.date: 07/14/2017
 ADMX Info:  
 -   GP english name: *Allow Basic authentication*
 -   GP name: *AllowBasic_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -101,6 +102,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow Basic authentication*
 -   GP name: *AllowBasic_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -144,6 +146,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow CredSSP authentication*
 -   GP name: *AllowCredSSP_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -187,6 +190,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow CredSSP authentication*
 -   GP name: *AllowCredSSP_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -230,6 +234,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow remote server management through WinRM*
 -   GP name: *AllowAutoConfig*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -273,6 +278,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -316,6 +322,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Allow unencrypted traffic*
 -   GP name: *AllowUnencrypted_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -359,6 +366,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Disallow Digest authentication*
 -   GP name: *DisallowDigest*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -402,6 +410,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Disallow Negotiate authentication*
 -   GP name: *DisallowNegotiate_2*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -445,6 +454,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Disallow Negotiate authentication*
 -   GP name: *DisallowNegotiate_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -488,6 +498,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Disallow WinRM from storing RunAs credentials*
 -   GP name: *DisableRunAs*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -531,6 +542,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify channel binding token hardening level*
 -   GP name: *CBTHardeningLevel_1*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -574,6 +586,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Trusted Hosts*
 -   GP name: *TrustedHosts*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -617,6 +630,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn On Compatibility HTTP Listener*
 -   GP name: *HttpCompatibilityListener*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
@@ -660,6 +674,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Turn On Compatibility HTTPS Listener*
 -   GP name: *HttpsCompatibilityListener*
+-   GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service*
 -   GP ADMX file name: *WindowsRemoteManagement.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 79559fed08..00dd1a5001 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - RemoteProcedureCall
@@ -68,6 +68,7 @@ Note: This policy will not be applied until the system is rebooted.
 ADMX Info:  
 -   GP english name: *Enable RPC Endpoint Mapper Client Authentication*
 -   GP name: *RpcEnableAuthEpResolution*
+-   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*
 
 <!--EndADMX-->
@@ -129,6 +130,7 @@ Note: This policy setting will not be applied until the system is rebooted.
 ADMX Info:  
 -   GP english name: *Restrict Unauthenticated RPC clients*
 -   GP name: *RpcRestrictRemoteClients*
+-   GP path: *System/Remote Procedure Call*
 -   GP ADMX file name: *rpc.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index becd1b6df2..ddc13e6c8e 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - RemoteShell
@@ -58,6 +58,7 @@ ms.date: 07/14/2017
 ADMX Info:  
 -   GP english name: *Allow Remote Shell Access*
 -   GP name: *AllowRemoteShellAccess*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -101,6 +102,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *MaxConcurrentUsers*
 -   GP name: *MaxConcurrentUsers*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -144,6 +146,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify idle Timeout*
 -   GP name: *IdleTimeout*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -187,6 +190,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify maximum amount of memory in MB per Shell*
 -   GP name: *MaxMemoryPerShellMB*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -230,6 +234,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify maximum number of processes per Shell*
 -   GP name: *MaxProcessesPerShell*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -273,6 +278,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify maximum number of remote shells per user*
 -   GP name: *MaxShellsPerUser*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
@@ -316,6 +322,7 @@ ADMX Info:
 ADMX Info:  
 -   GP english name: *Specify Shell Timeout*
 -   GP name: *ShellTimeOut*
+-   GP path: *Windows Components/Windows Remote Shell*
 -   GP ADMX file name: *WindowsRemoteShell.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index b4338ee741..d5f5c4ad2d 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Search
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 5b0f36a599..0472962b49 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/26/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Security
@@ -216,6 +216,45 @@ ms.date: 07/26/2017
 -   0 – Don't allow Anti Theft Mode.
 -   1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
 
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+The following list shows the supported values:
+
+-   0 (default) – Will not force recovery from a non-ready TPM state.
+-   1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -258,45 +297,6 @@ ms.date: 07/26/2017
 -   0 (default) – Encryption enabled.
 -   1 – Encryption disabled.
 
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
-
-The following list shows the supported values:
-
--   0 (default) – Will not force recovery from a non-ready TPM state.
--   1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 1f0609cf32..66b1036ad7 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Settings
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index f051f86853..f9c43718a4 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - SmartScreen
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index e19e02b135..a8f70bedb6 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Speech
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 63e49d9fa5..6c0dd2a75b 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Start
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index 6e7bf5238a..b0dcf3a30b 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Storage
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, Windows will activate un
 ADMX Info:  
 -   GP english name: *Do not allow Windows to activate Enhanced Storage devices*
 -   GP name: *TCGSecurityActivationDisabled*
+-   GP path: *System/Enhanced Storage Access*
 -   GP ADMX file name: *enhancedstorage.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index ac2270f86c..bd2ca894b5 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - System
@@ -548,6 +548,7 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu
 ADMX Info:  
 -   GP english name: *Turn off System Restore*
 -   GP name: *SR_DisableSR*
+-   GP path: *System/System Restore*
 -   GP ADMX file name: *systemrestore.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index a301e620e4..8f0523789d 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - TextInput
@@ -363,29 +363,6 @@ ms.date: 07/14/2017
 <!--StartPolicy-->
 <a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 5aa7ed1720..2ccd9541ad 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - TimeLanguageSettings
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 3681d55d6f..f057cd47c6 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Update
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 14181da459..20616a5dfd 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - Wifi
@@ -22,29 +22,6 @@ ms.date: 07/14/2017
 <!--StartPolicy-->
 <a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 1562806a3e..b7a99ac6a7 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - WindowsDefenderSecurityCenter
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index aea0a2de88..d196f035a8 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - WindowsInkWorkspace
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index c0d3fb1bdc..cab3989529 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - WindowsLogon
@@ -64,6 +64,7 @@ If you disable or do not configure this policy setting, users can choose which a
 ADMX Info:  
 -   GP english name: *Turn off app notifications on the lock screen*
 -   GP name: *DisableLockScreenAppNotifications*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*
 
 <!--EndADMX-->
@@ -113,6 +114,7 @@ If you disable or don't configure this policy setting, any user can disconnect t
 ADMX Info:  
 -   GP english name: *Do not display network selection UI*
 -   GP name: *DontDisplayNetworkSelectionUI*
+-   GP path: *System/Logon*
 -   GP ADMX file name: *logon.admx*
 
 <!--EndADMX-->
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 535bc242b7..3086c439d8 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 07/14/2017
+ms.date: 08/09/2017
 ---
 
 # Policy CSP - WirelessDisplay
@@ -162,29 +162,6 @@ ms.date: 07/14/2017
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**  
 
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703.
 
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index f4b6271552..a1cd701480 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -97,7 +97,7 @@ Appv.admx file:
 
 ## <a href="" id="admx-backed-policy-examples"></a>ADMX-backed policy examples
 
-The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
 
 ### <a href="" id="enabling-a-policy"></a>Enabling a policy
@@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
 **Request SyncML**
 ```
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Delete>
       <CmdID>1</CmdID>
@@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>$CmdId$</CmdID>
@@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 #### Corresponding SyncML:
 
 ```XML
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
@@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
 
 ```XML
 <?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
     <Replace>
       <CmdID>2</CmdID>
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 9c7505d906..2f2bd2b989 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1690,6 +1690,9 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
 
 - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
 
+    > [!NOTE]  
+    > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+
     -or-
 
 -   Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 0bf7db49e7..e203016bfa 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
 
   To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
 
-  The following example shows how to pin the Internet Explorer Windows desktop application:
+  The following example shows how to pin the File Explorer Windows desktop application:
 
   ```XML
     <start:DesktopApplicationTile
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 687ad42976..43804a9a80 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -72,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
     - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` 
     - Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+    
     >[!TIP]
     >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
         
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 9a9b601234..f786f2f6ad 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -67,10 +67,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
 
  In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
 
->[!WARNING]
-> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
->
-> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index e367ff26c8..4c6db249d6 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -3,9 +3,9 @@
 ## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 
-## [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
+## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
 ### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
-### [Configure VDA for Enterprise Subscription Activation](vda-subscription-activation.md)
+### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
 ### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
 ## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
 
@@ -14,19 +14,6 @@
 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
 ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
 
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-
 ### [Windows 10 deployment test lab](windows-10-poc.md)
 #### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
 #### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@@ -79,6 +66,7 @@
 ##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
 ##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
 ##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+
 #### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
 #### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
 #### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
@@ -217,9 +205,6 @@
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
 ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
-### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
-#### [Get started with Update Compliance](update/update-compliance-get-started.md)
-#### [Use Update Compliance](update/update-compliance-using.md)
 ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
 #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
 #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 6881363aa1..40f279e10f 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -91,6 +91,9 @@ Now the device is Azure AD joined to the company’s subscription.
 
 **To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
 
+>[!IMPORTANT]
+>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
+
 1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
 
     <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index c6d38e7d4d..e5e8d59bf7 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
          
     5.  State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
         1.  Name: Install - Microsoft NET Framework 3.5.1
-        2.  Select the operating system for which roles are to be installed: Windows 8.1
+        2.  Select the operating system for which roles are to be installed: Windows 10
         3.  Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
         
         **Important**  
@@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
 
 ### Update the deployment share
 
-After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
+After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
 
 1.  Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
 2.  Use the default options for the Update Deployment Share Wizard.
@@ -566,7 +566,7 @@ SkipFinalSummary=YES
     The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
      
 -   **JoinWorkgroup.** Configures Windows to join a workgroup.
--   **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
+-   **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
 -   **FinishAction.** Instructs MDT what to do when the task sequence is complete.
 -   **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
 -   **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 0c8e252f29..7d139ec69e 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -17,7 +17,7 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
 |------|------------|
 |[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 Enterprise Activation Subscription](windows-10-enterprise-activation-subscription.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
+|[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
 |[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 
 
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 1be2149594..2619584ebd 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin
 - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
 - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
 
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/1cmF5c_R8I4" frameborder="0" allowfullscreen></iframe>
+
 An overview of the processes used by the Update Compliance solution is provided below.
 
 ## Update Compliance architecture
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 937be3b7e3..8681080388 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
 - Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. 
 - Schedule monthly user computer scans to view monthly active computer and usage information.
 
->When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task.  It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on. 
+>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. 
 
 ### Distribute the deployment script at scale
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
index bbbb2a155d..860f86c5bb 100644
--- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
+++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
@@ -9,7 +9,7 @@ author: greg-lindsay
 
 The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
 
-The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version.  For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md).
+The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version.  For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version).
 
 The following color-coded status changes are reflected on the upgrade overview blade:
 
@@ -32,7 +32,7 @@ The following color-coded status changes are reflected on the upgrade overview b
     - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
     - If the current value is a deprecated OS version, the version is displayed in red.
 
-Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
 
 In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
 
@@ -65,4 +65,4 @@ Select **Total applications** for a list of applications discovered on user comp
 -   Percentage of computers in your total computer inventory that opened the application in the past 30 days
 -   Issues detected, if any
 -   Upgrade assessment based on analysis of application data
--   Rollup level
\ No newline at end of file
+-   Rollup level
diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
index 85acab5a0a..807cd59c14 100644
--- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
+++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
@@ -41,7 +41,7 @@ As mentioned previously, the default target version in Upgrade Readiness is set
 
 The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version.
 
-You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607.
+You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703.
 
 To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution:
 
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 9992df19fc..8d3a787f3c 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -1,5 +1,5 @@
 ---
-title: Configure VDA for Enterprise Subscription Activation
+title: Configure VDA for Windows 10 Subscription Activation
 description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
@@ -10,9 +10,9 @@ ms.pagetype: mdt
 author: greg-lindsay
 ---
 
-# Configure VDA for Enterprise Subscription Activation
+# Configure VDA for Windows 10 Subscription Activation
 
-This document describes how to configure virtual machines (VMs) to enable [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
 
 ## Requirements
 
@@ -82,7 +82,7 @@ To create custom RDP settings for Azure:
 
 ## Related topics
 
-[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
+[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
 <BR>[Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
 <BR>[Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
 
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index 4df11b541b..8e9912ed68 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 Enterprise Subscription Activation
+title: Windows 10 Subscription Activation
 description: How to enable Windows 10 Enterprise E3 and E5 subscriptions
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
@@ -10,7 +10,7 @@ ms.pagetype: mdt
 author: greg-lindsay
 ---
 
-# Windows 10 Enterprise Subscription Activation
+# Windows 10 Subscription Activation
 
 With Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots.
 
@@ -25,7 +25,7 @@ See the following topics in this article:
 - [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
 - [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
 - [How it works](#how-it-works): A summary of the subscription-based licensing option.
-- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Enterprise Subscription Activation for VMs in the cloud.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud.
 
 For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 
@@ -37,7 +37,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
 - Azure Active Directory (Azure AD) available for identity management
 - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
 
-For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device equirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
 
 If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
 
@@ -118,7 +118,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 
 Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
 
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
 
 ## Related topics
 
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index ddd4bb48f1..6895c3208e 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -94,6 +94,7 @@
 ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
 ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
 ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
+### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
 ### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
 ### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
 ### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index 68cc89fe05..af3bab22cc 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: high
+localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
 
 `manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
 
+
+### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
+
+New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. 
+For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. 
+
 ### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
 
 BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
 
 BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
 
+### <a href="" id="bkmk-VM"></a> Can I use BitLocker with virtual machines (VMs)?
+
+Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.  
+
+
 ## More information
 
 -   [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
new file mode 100644
index 0000000000..e8a02af1fd
--- /dev/null
+++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md
@@ -0,0 +1,185 @@
+---
+title: BitLocker Management Recommendations for Enterprises (Windows 10)
+description: This topic explains recommendations for managing BitLocker.
+ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# BitLocker Management Recommendations for Enterprises
+
+This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices. 
+
+## Forward-looking recommendations for managing BitLocker
+
+The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
+
+Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). 
+
+Though much  Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
+
+   - [Domain-joined computers](#dom_join)
+
+   - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
+
+   - [Workplace-joined PCs and Phones](#work_join)
+
+   - [Servers](#servers)
+
+   - [Scripts](#powershell)
+
+   <br />
+
+## BitLocker management at a glance
+
+| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone 
+|---|---|----|---|---|
+|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
+|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
+
+<br />
+*PC hardware that supports InstantGo or HSTI 
+
+<br />
+<br />
+
+ <a id="dom_join"></a>
+## Recommendations for domain-joined computers
+
+Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see  [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
+
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+
+For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management<sup>[1]</sup> (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
+
+- Encrypts device with BitLocker using MBAM
+- Stores BitLocker Recovery keys in MBAM Server
+- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
+- Provides Reporting on Compliance and Recovery key access audit
+
+<a id="MBAM25"></a>
+<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
+
+<br />
+
+<a id="azure_ad"></a>
+## Recommendations for devices joined to Azure Active Directory
+
+<a id="MDM"></a>
+
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
+
+For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+
+
+<a id="work_join"></a>
+## Workplace-joined PCs and phones
+
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join. 
+
+<a id="servers"></a>
+
+##  Recommendations for servers
+
+Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
+
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
+
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+
+ Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
+
+ For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
+ 
+<a id ="powershell"></a>
+
+## PowerShell examples
+
+For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.  
+
+*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+``` 
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+``` 
+For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). 
+
+*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
+``` 
+PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+
+PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+ ```
+
+Subsequently, you can use PowerShell to enable BitLocker. 
+
+*Example: Use PowerShell to enable BitLocker with a TPM protector*
+ ```
+PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
+ ```
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+ ```
+PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+  ``` 
+
+<a id = "articles"></a>
+
+## Related Articles
+
+[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
+
+[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+
+[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption) 
+
+[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+
+[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
+
+[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx) 
+
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) 
+*(Overview)*
+
+[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
+*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
+
+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+
+<br />
+
+**Windows Server setup tools**
+
+[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+
+[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
+
+[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
+
+[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
+
+[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+
+[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) 
+
+<br />
+
+<a id="powershell"></a>
+**Powershell**
+
+[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) 
+
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
\ No newline at end of file
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index b87d0626c3..cb46edf710 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,10 +11,17 @@ author: brianlic-msft
 # Change history for device security
 This topic lists new and updated topics in the [Device security](index.md) documentation.
 
+## August 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
+| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
+
+
 ## July 2017
 |New or changed topic |Description |
 |---------------------|------------|
- | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
 
 
 ## May 2017
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 6b3f009321..390575abd4 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -46,6 +46,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - mshta.exe
 - ntsd.exe
 - rcsi.exe
+- SyncAppVPublishingServer.exe
 - system.management.automation.dll
 - windbg.exe
 
@@ -64,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |Matt Nelson | @enigma0x3| 
 |Oddvar Moe |@Oddvarmoe|
 |Alex Ionescu | @aionescu|
+|Nick Landers | @monoxgas|
 
 <br />
 
@@ -116,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
     <Deny  ID="ID_DENY_LXSS"          FriendlyName="LxssManager.dll"    FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_BASH"          FriendlyName="bash.exe"           FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_FSI"           FriendlyName="fsi.exe"            FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
+    <Deny  ID="ID_DENY_APPVPUBSRV"    FriendlyName="SyncAppVPublishingServer.exe" FileName="SyncAppVPublishingServer.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_FSI_ANYCPU"    FriendlyName="fsiAnyCpu.exe"      FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_MSHTA"         FriendlyName="mshta.exe"          FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
     <Deny  ID="ID_DENY_SMA"           FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
@@ -184,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
           <FileRuleRef RuleID="ID_DENY_BASH"/>
           <FileRuleRef RuleID="ID_DENY_FSI"/>
           <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
+          <FileRuleRef RuleID="ID_DENY_APPVPUBSRV"/>
           <FileRuleRef RuleID="ID_DENY_MSHTA"/>
           <FileRuleRef RuleID="ID_DENY_SMA"/>
           <FileRuleRef RuleID="ID_DENY_D_1" />
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index fcd0f46670..f5754dfb28 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -10,7 +10,7 @@ author: mdsakibMSFT
 
 # Deploy Managed Installer for Device Guard
 
-Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guard’s [configurable code integrity (CI)](device-guard-deployment-guide.md). 
+Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md). 
 This is especially true for enterprises with large, ever changing software catalogs. 
 
 Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. 
diff --git a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
index cc479c5bc2..b2a0c2025c 100644
--- a/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-This policy setting prevents users from adding new Microsoft accounts on a device.
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
 
-If you click the **Users can’t add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store.
+There are two options if this setting is enabled:
 
-If you click the **Users can’t add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
+- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
+
+- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
 
 If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
 
@@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st
 ### Best practices
 
 -   By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
--   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
+-   If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts.
 
 ### Location
 
diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
index 8203714148..a666d3e71e 100644
--- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,6 +1,6 @@
 ---
 title: TPM Group Policy settings (Windows 10)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -15,22 +15,15 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
-The TPM Services Group Policy settings are located at:
+The Group Policy settings for TPM services are located at:
 
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 
-### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+The following Group Policy settings were introduced in Window 10:
 
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. 
-
-Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: 
-a) disable it from group policy and b) clear the TPM on the system.
-
-**The following Group Policy settings were introduced in Window 10:**
-
-### Configure the list of blocked TPM commands
+## Configure the list of blocked TPM commands
 
 This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
 
@@ -48,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked
 
 -   [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands)
 
-### Ignore the default list of blocked TPM commands
+## Ignore the default list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
 
@@ -58,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
 
-### Ignore the local list of blocked TPM commands
+## Ignore the local list of blocked TPM commands
 
 This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
 
@@ -68,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the
 
 If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
 
-### Configure the level of TPM owner authorization information available to the operating system
+## Configure the level of TPM owner authorization information available to the operating system
 
 This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password.
 
@@ -106,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T
 If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
 configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
 
-### Standard User Lockout Duration
+## Standard User Lockout Duration
 
 This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
 authorization to the TPM.
@@ -125,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
 
-### Standard User Individual Lockout Threshold
+## Standard User Individual Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -137,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware
 
 If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
 
-### Standard User Total Lockout Threshold
+## Standard User Total Lockout Threshold
 
 This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
@@ -156,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a
 
 If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS.
 
+## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
+
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+
+> [!IMPORTANT]
+> Setting this policy will take effect only if:  
+-   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+-   The system has a TPM 2.0. 
+
+> [!NOTE]
+> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
+> -  Disable it from group policy
+> -  Clear the TPM on the system
+
+
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index fc6edc2fef..4c0c73b44b 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -150,6 +150,13 @@
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
 
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
 #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
index e854d43efb..ebec2a5082 100644
--- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -8,10 +8,13 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
+ms.author: lizross
+ms.date: 08/14/2017
 ms.localizationpriority: high
 ---
 
 # Block untrusted fonts in an enterprise
+
 **Applies to:**
 
 -   Windows 10
@@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function
 -   Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
 
 ## Turn on and use the Blocking Untrusted Fonts feature
+Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
+
+**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
+1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
+
+2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
+
+    - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. 
+
+    - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
+
+    - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
+
+3. Click **OK**.
+
+**To turn on and use the Blocking Untrusted Fonts feature through the registry**
 To turn this feature on, off, or to use audit mode:
 
 1.  Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
 
 2.  If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
 
-3.  Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
+3. Right click on the **MitigationOptions** key, and then click **Modify**. 
+
+    The **Edit QWORD (64-bit) Value** box opens.
+
+4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
 
     -   **To turn this feature on.** Type **1000000000000**.
-    -   **To turn this feature off.** Type **2000000000000**.
-    -   **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
 
-4.  Restart your computer.
+    -   **To turn this feature off.** Type **2000000000000**.
+
+    -   **To audit with this feature.** Type **3000000000000**.
+
+    >[!Important]
+    >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
+
+4. Restart your computer.
 
 ## View the event log
 After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your
 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
 
 2. Scroll down to **EventID: 260** and review the relevant events.
-<p>
-**Event Example 1 - MS Word**<br>
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *Memory*, there’s no associated **FontPath.**
-<p>
-**Event Example 2 - Winlogon**<br>
-Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: File<br>
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *File*, there’s also an associated **FontPath.**
-<p>
-**Event Example 3 - Internet Explorer running in Audit mode**<br>
-Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: false<p>
-**Note**<br>In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+    **Event Example 1 - MS Word**<br>
+    WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *Memory*, there’s no associated **FontPath**.
+
+    **Event Example 2 - Winlogon**<br>
+    Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: File<br>
+    FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *File*, there’s also an associated **FontPath**.
+
+    **Event Example 3 - Internet Explorer running in Audit mode**<br>
+    Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: false
+    
+    >[!NOTE]
+    >In Audit mode, the problem is recorded, but the font isn’t blocked.
 
 ## Fix apps having problems because of blocked fonts
 Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
 
 **To fix your apps by excluding processes**
 
-1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
 
-2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
+2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
 
  
+## Related content
 
+- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
  
 
 
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
index 885e4d9279..a98bb34278 100644
--- a/windows/threat-protection/index.md
+++ b/windows/threat-protection/index.md
@@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
 |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
 |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
 |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
 |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
 |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 2bde953608..fdb8d3eec8 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -10,6 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 18e242a4f0..8e92f2d2cd 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -10,6 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
 ---
 
 # Manage updates and scans for endpoints that are out of date
@@ -92,7 +93,7 @@ See the following for more information and allowed parameters:
 
 ## Set the number of days before protection is reported as out-of-date
 
-You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
+You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
 
 **Use Group Policy to specify the number of days before protection is considered out-of-date:**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index d87bb53800..214f619f3f 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -10,6 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
 ---
 
 # Manage the sources for Windows Defender Antivirus protection updates
@@ -63,7 +64,11 @@ The older the updates on an endpoint, the larger the download. However, you must
 
 Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.
 
-The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
+The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
+
+> [!IMPORTANT]
+> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
+> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
 
 Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
 
@@ -73,7 +78,7 @@ WSUS | You are using WSUS to manage updates for your network.
 Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
 File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
 Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
-MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source.
+MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
   
     
 You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
diff --git a/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
new file mode 100644
index 0000000000..73bb0a5fb0
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -0,0 +1,46 @@
+---
+title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Configure Windows Defender Application Guard policy settings
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+
+Application Guard uses both network isolation and application-specific settings.
+
+### Network isolation settings
+These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+
+>[!NOTE]
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+
+### Application-specific settings
+These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
+
+|Name|Supported versions|Description|Options|
+|-----------|------------------|-----------|-------|
+|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
+|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+
diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
new file mode 100644
index 0000000000..78a7228f40
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -0,0 +1,44 @@
+---
+title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
+description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Frequently asked questions - Windows Defender Application Guard 
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+
+## Frequently Asked Questions
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
+|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
+|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
+|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
+|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png
new file mode 100644
index 0000000000..6f2bb5afcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
new file mode 100644
index 0000000000..f1391f862c
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png
new file mode 100644
index 0000000000..e0bedcd7cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png
new file mode 100644
index 0000000000..357be9c65b
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png
new file mode 100644
index 0000000000..25c22912a5
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png
new file mode 100644
index 0000000000..48aa702feb
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png
new file mode 100644
index 0000000000..56acb4be53
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png
new file mode 100644
index 0000000000..c5e7982909
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
new file mode 100644
index 0000000000..01f4eb6359
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png
new file mode 100644
index 0000000000..3fe617b8ed
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png
new file mode 100644
index 0000000000..a946325c66
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png
new file mode 100644
index 0000000000..877b707030
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png
new file mode 100644
index 0000000000..5172022256
Binary files /dev/null and b/windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png differ
diff --git a/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
new file mode 100644
index 0000000000..a93a6519fc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -0,0 +1,56 @@
+---
+title: Prepare and install Windows Defender Application Guard (Windows 10)
+description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Prepare and install Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+## Prepare to install Windows Defender Application Guard 
+Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
+
+- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. <!--Need link after topic is created-->
+
+- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
+
+The following diagram shows the flow between the host PC and the isolated container.
+![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
+
+## Install Application Guard
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+**To install by using the Control Panel**
+1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
+
+    ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png)
+
+2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
+
+   Application Guard and its underlying dependencies are all installed.
+
+**To install by using PowerShell**
+1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+   
+2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+   Windows PowerShell opens with administrator credentials.
+
+3. Type the following command:
+
+    ```
+    Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
+    ```
+4. Restart the device.
+
+   Application Guard and its underlying dependencies are all installed.
+
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
new file mode 100644
index 0000000000..a03b3514c2
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -0,0 +1,37 @@
+---
+title: System requirements for Windows Defender Application Guard (Windows 10)
+description: Learn about the system requirements for installing and running Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# System requirements for Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+
+## Hardware requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Hardware|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
+|Hardware memory|4 GB minimum, 8 GB recommended|
+
+## Software requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Software|Description|
+|--------|-----------|
+|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
+|Browser|Microsoft Edge and Internet Explorer|
+|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
new file mode 100644
index 0000000000..152f404382
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -0,0 +1,159 @@
+---
+title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
+description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Testing scenarios using Windows Defender Application Guard in your business or organization
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
+
+## Application Guard in standalone mode
+You can see how an employee would use standalone mode with Application Guard.
+
+**To test Application Guard in Standalone mode**
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+
+    ![New Application Guard window setting option](images/appguard-new-window.png)
+ 
+4.	Wait for Application Guard to set up the isolated environment.
+
+    >[!NOTE]
+    >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. 
+ 
+5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+## Application Guard in Enterprise-managed mode 
+How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
+
+### Install, set up, and turn on Application Guard
+Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device and then start Microsoft Edge.
+
+4.	Set up the Network Isolation settings in Group Policy:
+
+    a.	Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
+    
+    b.	Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
+
+    c.	For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+
+    ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
+
+    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
+
+    e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+
+    ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
+
+5.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
+
+6.	Click **Enabled**.
+
+    ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
+
+    >[!NOTE]
+    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
+
+7. Start Microsoft Edge and type _www.microsoft.com_.
+    
+    After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+
+    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
+
+8.	In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+ 
+    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+### Customize Application Guard
+Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
+
+Application Guard provides the following default behavior for your employees:
+
+- No copying and pasting between the host PC and the isolated container.
+
+- No printing from the isolated container.
+
+- No data persistence from one isolated container to another isolated container.
+
+You have the option to change each of these settings to work with your enterprise from within Group Policy.
+
+**To change the copy and paste options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled**.
+ 
+    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
+
+3.	Choose how the clipboard works:
+    
+    - Copy and paste from the isolated session to the host PC
+    
+    - Copy and paste from the host PC to the isolated session
+    
+    - Copy and paste both directions
+
+4.	Choose what can be copied:
+    
+    - **1.** Only text can be copied between the host PC and the isolated container.
+
+    - **2.** Only images can be copied between the host PC and the isolated container.
+
+    - **3.** Both text and images can be copied between the host PC and the isolated container.
+
+5.	Click **OK**.
+
+**To change the print options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Print options](images/appguard-gp-print.png)
+
+3.	Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
+
+4. Click **OK**.
+
+**To change the data persistence options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
+ 
+3.	Open Microsoft Edge and browse to an untrusted, but safe URL.
+
+    The website opens in the isolated session. 
+
+4.	Add the site to your **Favorites** list and then close the isolated session.
+
+5.  Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+    The previously added site should still appear in your **Favorites** list.
+
+    >[!NOTE]
+    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>
diff --git a/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
new file mode 100644
index 0000000000..ac7c37e883
--- /dev/null
+++ b/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -0,0 +1,47 @@
+---
+title: Windows Defender Application Guard (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+ms.author: lizross
+ms.date: 08/11/2017
+localizationpriority: high
+---
+
+# Windows Defender Application Guard overview
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
+ 
+Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
+
+
+## What is Application Guard and how does it work?
+Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
+
+If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+
+![Hardware isolation diagram](images/appguard-hardware-isolation.png)
+
+### What types of devices should use Application Guard?
+Application Guard has been created to target 3 types of enterprise systems:
+
+- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+
+- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+
+- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
+|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
+|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
+|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
+|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index a1a712f714..2c8aed6960 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -124,30 +124,44 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
   ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
 
-4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type.
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
 
-  ![Image of naming a policy](images/atp-azure-intune-create-policy-configure.png)
+  ![Image of naming a policy](images/atp-intune-custom.png)
 
 7. Click **Settings** > **Configure**.
 
-  ![Image of settings](images/atp-azure-intune-settings-configure.png)
+  ![Image of settings](images/atp-intune-configure.png)
 
-8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**.
+8. Under Custom OMA-URI Settings, click **Add**.
 
-  ![Image of configuration settings](images/atp-azure-intune-configure.png)
+  ![Image of configuration settings](images/atp-custom-oma-uri.png)
 
-9. Click **Create**.
+9. Enter the following values, then click **OK**.
 
-  ![Image of profile creation](images/atp-azure-intune-create.png)
+  ![Image of profile creation](images/atp-oma-uri-values.png)
 
-10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**.
+  - **Name**: Type a name for the setting.
+  - **Description**: Type a description for the setting.
+  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
 
-  ![Image of select groups to apply configuration policy](images/atp-azure-intune-select-group.png)
+10. Save the settings by clicking **OK**.
+  
+11. Click **Create**.
 
-11. Click **Save** to finish deploying the Configuration Policy.
+  ![Image of the policy being created](images/atp-intune-create-policy.png)
 
-  ![Image of the policy being saved](images/atp-azure-intune-save-policy.png)
+12. To deploy the Profile, click **Assignments**. 
 
+  ![Image of groups](images/atp-intune-assignments.png)
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+  ![Image of groups](images/atp-intune-group.png)
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+  ![Image of deployment](images/atp-intune-save-deployment.png)
 
 ### Offboard and monitor endpoints
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 1a162b7913..9710d5a35b 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -80,10 +80,10 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
-Primary Domain Controller | .Microsoft.com DNS record
+Service location | .Microsoft.com DNS record
 :---|:---
- US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
-Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
+ US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
+Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>  ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
 
  If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP  sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
 
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
index 9c41b16d73..7bb3ec3bb5 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
index 4d1885054b..acf42ec448 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
new file mode 100644
index 0000000000..614424a2ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
new file mode 100644
index 0000000000..11c2bf608b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png
new file mode 100644
index 0000000000..90f5b5b557
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
new file mode 100644
index 0000000000..3e486c0565
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png
new file mode 100644
index 0000000000..c846a207df
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
new file mode 100644
index 0000000000..345a260612
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
new file mode 100644
index 0000000000..e71db86d17
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
new file mode 100644
index 0000000000..bad96b9438
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index a36ea1a0a9..78c0d14437 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -26,9 +26,9 @@ The **Machines list** shows a list of the machines in your network, the domain o
 
 Use the Machines list in these main scenarios:
 
-- **During onboarding**</br>
+- **During onboarding**<br>
   During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
-- **Day-to-day work**
+- **Day-to-day work** <br>
   The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
 
 ## Sort, filter, and download the list of machines from the Machines list
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 34e836f47e..2232344229 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -117,10 +117,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
     sc qc diagtrack
     ```
 
-## Windows Defender signature updates are configured
-The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+## Windows Defender Antivirus signature updates are configured
+The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
 
-When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
+When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
+
+For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
 
 ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
 If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 16465baf1b..25be0c5cdc 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with
 ### Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index c9f5e7c9b1..f9ecc8bc12 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,5 +1,5 @@
 ---
-title: What's in Windows 10, version 1703
+title: What's new in Windows 10, version 1703
 description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
@@ -295,6 +295,37 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
    - Set Ethernet port properties
    - Set proxy properties for the Ethernet port
 
+## Miracast on existing wireless network or LAN
+
+In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+
+### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+### Enabling Miracast over Infrastructure 
+
+If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. 
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
 ## New features in related products
 The following new features aren't part of Windows 10, but help you make the most of it.